Authenication with certifiactes
alan buxey
A.L.M.Buxey at lboro.ac.uk
Mon Jul 2 23:32:20 CEST 2012
Hi,
> I have no luck with this. I read in some articles to make an AP with
> Radius-Authentication, one should create cerificates with 'make all'
> in the certs-directory after editing the ca.cnf and server.cnf and
> copy the ca.pem to the client.
..that would be to ensure that you can configure the client to trust the
RADIUS server - as they are both signed by the same CA
> Where can I read what other possibilites there are to authorize a client
> for an AP using a radiusserver as backend.
it depends what you want to do. you were talking about authenticating
using a certificate - that would be EAP-TLS (or EAP-PEAP/TLS or EAP-TTLS/TLS)
which means the client uses a certificate
> I just attached the AP to eth0 accesible with 192.168.1.254, activated the
> DHCP-Server and tried to get authorization with a notebook using WPA-Enterprise
> and the ca.cert. I disabled sql now in the Radius-Server and get this, when
> I access from the notebool with TTLS and PAP:
>
> rad_recv: Access-Request packet from host 192.168.1.254 port 2048, id=3, length=159
> User-Name = "christiane"
> NAS-IP-Address = 192.168.1.254
> NAS-Port = 0
> Called-Station-Id = "B0-48-7A-F8-A1-19:gehackt"
> Calling-Station-Id = "00-22-B0-E7-D9-9B"
> Framed-MTU = 1400
> NAS-Port-Type = Wireless-802.11
> Connect-Info = "CONNECT 0Mbps 802.11"
> EAP-Message = 0x0200000f0163687269737469616e65
> Message-Authenticator = 0x63fa52067e6106e6299499e8e42249ee
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> [suffix] No '@' in User-Name = "christiane", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] EAP packet type response id 0 length 15
> [eap] No EAP Start, assuming it's an on-going EAP conversation
> ++[eap] returns updated
> [files] users: Matched entry christiane at line 95
> ++[files] returns ok
> ++[expiration] returns noop
> ++[logintime] returns noop
> [pap] Found existing Auth-Type, not changing it.
> ++[pap] returns noop
> Found Auth-Type = EAP
> +- entering group authenticate {...}
> [eap] EAP Identity
> [eap] processing type md5
> rlm_eap_md5: Issuing Challenge
> ++[eap] returns handled
> Sending Access-Challenge of id 3 to 192.168.1.254 port 2048
> EAP-Message = 0x010100160410cde74bbeeec3a19a037d5b4fe57f4c97
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x4fb647db4fb74330423119a23041222a
> Finished request 2.
> Going to the next request
> Waking up in 4.9 seconds.
> rad_recv: Access-Request packet from host 192.168.1.254 port 2048, id=4, length=168
> User-Name = "christiane"
> NAS-IP-Address = 192.168.1.254
> NAS-Port = 0
> Called-Station-Id = "B0-48-7A-F8-A1-19:gehackt"
> Calling-Station-Id = "00-22-B0-E7-D9-9B"
> Framed-MTU = 1400
> NAS-Port-Type = Wireless-802.11
> Connect-Info = "CONNECT 0Mbps 802.11"
> EAP-Message = 0x020100060315
> State = 0x4fb647db4fb74330423119a23041222a
> Message-Authenticator = 0x64f323aa1f0f8335cc75e1ec3690a536
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> [suffix] No '@' in User-Name = "christiane", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] EAP packet type response id 1 length 6
> [eap] No EAP Start, assuming it's an on-going EAP conversation
> ++[eap] returns updated
> [files] users: Matched entry christiane at line 95
> ++[files] returns ok
> ++[expiration] returns noop
> ++[logintime] returns noop
> [pap] Found existing Auth-Type, not changing it.
> ++[pap] returns noop
> Found Auth-Type = EAP
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP NAK
> [eap] EAP-NAK asked for EAP-Type/ttls
> [eap] processing type tls
> [tls] Initiate
> [tls] Start returned 1
> ++[eap] returns handled
> Sending Access-Challenge of id 4 to 192.168.1.254 port 2048
> EAP-Message = 0x010200061520
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x4fb647db4eb45230423119a23041222a
> Finished request 3.
> Going to the next request
> Waking up in 4.9 seconds.
> Cleaning up request 2 ID 3 with timestamp +130
> Cleaning up request 3 ID 4 with timestamp +130
> Ready to process requests.
>
> But I do not get a lease from the AP.
thats because, as you can read, you never got an Access-Accept. the flow above
shows that
your request arrived at the server....the server is configured to use MD5 by default
in the inner-tunnel (so change that to the method you will use most eg TTLS) and
so the server send a NAK. the client was then put through using TTLS but the server
sent an Access-Challenge that never got answered....which is in the FAQ - the client
doesnt trust the server. you need to ensure that you have added the CA in the right
certificate store on the client..... as this is 802.1X a quick hint - do a google
search for 'eduroam configuring client' you should find countless examples from Universities
worldwide on how to configure a client for doing this sort of thing....some sites will
have step by step instructions so you can see how to do it on windows XP/Vista/7 OSX 10.6 etc
..and a favour in return..if you find any sites that DONT tell the users to check the CA
and put the right name in the verification box, then please email me ;-)
> Strange, where can I read about this?
EAP-TLS HOWTO, or google for EAP-TLS - I find it quite worrying that people are
blocked from internet search engines
> > 4) EAP-TLS is plain/simple method - thus checking against SQL for passwords is wrong
>
> Ok, disabled SQL and made entries in the users file.
..but from what you said above (using TTLS) - there is nothing wrong with using MySQL/postgreSQL
etc
though we DO advise people to start simple. start with users file rather than some fancy backend
storage. once you see things working and have things in a working state, THEN bring in the good stuff(tm)
> > 5) upgrade - 2.1.9 is hideously old, 2.1.12 contains bug fixes and security fixes.
>
> allright, will do that if I can see some land in this ocean
I would start with the upgrade first - the cerfificate make files got some fixes
and improvements too! ;-)
alan
More information about the Freeradius-Users
mailing list