Authenication with certifiactes

Tue Jul 3 10:16:40 CEST 2012

Hello!

alan buxey <A.L.M.Buxey at lboro.ac.uk> wrote:

> Hi,
> 
> > I have no luck with this. I read in some articles to make an AP with
> > Radius-Authentication, one should create cerificates with 'make all'
> > in the certs-directory after editing the ca.cnf and server.cnf and 
> > copy the ca.pem to the client.
> 
> ..that would be to ensure that you can configure the client to trust the 
> RADIUS server - as they are both signed by the same CA

OK

> 
> > Where can I read what other possibilites there are to authorize a client
> > for an AP using a radiusserver as backend.
> 
> it depends what you want to do. you were talking about authenticating
> using a certificate - that would be EAP-TLS (or EAP-PEAP/TLS or EAP-TTLS/TLS)
> which means the client uses a certificate

OK

I wonder what other possibilities than certificates there are to authorize
a client to a network using WLAN. Like Hotspots, internet cafes and hotels
for example. I mean, handing over a certifacte to a client on an USB-stick
seems unpracticable to me.

[ ... snipp ]

> > But I do not get a lease from the AP.
> 
> thats because, as you can read, you never got an Access-Accept. the flow above
> shows that
> your request arrived at the server....the server is configured to use MD5 by default
> in the inner-tunnel (so change that to the method you will use most eg TTLS) and
> so the server send a NAK. the client was then put through using TTLS but the server
> sent an Access-Challenge that never got answered....which is in the FAQ - the client
> doesnt trust the server. you need to ensure that you have added the CA in the right
> certificate store on the client..... as this is 802.1X a quick hint - do a google
> search for 'eduroam configuring client' you should find countless examples from Universities
> worldwide on how to configure a client for doing this sort of thing....some sites will
> have step by step instructions so you can see how to do it on windows XP/Vista/7 OSX 10.6 etc
> 
> ..and a favour in return..if you find any sites that DONT tell the users to check the CA
> and put the right name in the verification box, then please email me ;-)
> 
> > Strange, where can I read about this?
> 
> EAP-TLS HOWTO, or google for EAP-TLS - I find it quite worrying that people are
> blocked from internet search engines
> 
> > > 4) EAP-TLS is plain/simple method - thus checking against SQL for passwords is wrong
> > 
> > Ok, disabled SQL and made entries in the users file.
> 
> ..but from what you said above (using TTLS) - there is nothing wrong with using MySQL/postgreSQL
> etc
> 
> though we DO advise people to start simple. start with users file rather than some fancy backend
> storage. once you see things working and have things in a working state, THEN bring in the good stuff(tm)
> 
> > > 5) upgrade - 2.1.9 is hideously old, 2.1.12 contains bug fixes and security fixes.
> > 
> > allright, will do that if I can see some land in this ocean
> 
> I would start with the upgrade first - the cerfificate make files got some fixes
> and improvements too! ;-)

So I followed your hint and compiled and installed freeradius-server-2.1.12.
Created new certificates and changed md5 to ttls in eap.conf and the client.conf
to accept my client.
I configured the Linux-Client with Yast to connect to the AP using the ca.pem.
The handshake works and I get a lease. Now this is great! The NetworkManager didn't
do it.
> 
> alan

Thank you very much for your initial help! Now I can go on examinng the server.

  Andreas