Troubleshooting EAP-TLS with External Certificates
Matthew West
matthew.t.west at gmail.com
Thu Aug 25 01:35:01 CEST 2016
Hello Alan and All,
I've started over with my FreeRADIUS implementation with the newer
version to simplify troubleshooting my issue. My implementation is in
a 'successful' state and I would like to verify my next steps to
ensure I don't miss anything before attempting to use external certs.
I've been successful using 'snakeoil' and self-signed certificates,
I'm trying to get FreeRADIUS to work with externally generated
certificates, as all of the users I'm authenticating already have
e-mail/auth certs for themselves.
My progress:
---
Install and Test of FreeRADIUS
==============================
1. Installed/Configured CentOS 7 (CentOS7-x86_64-1511)
a. Disabled SELinux
b. Disabled firewalld
c. Set up Networking
d. Changed hostname
2. Installed FreeRADIUS v3 (x86_64 0:3.0.4-6.el7)
a. Installed freeradius
b. Installed freeradius-utils
c. Installed openssl
d. Installed wpasupplicant
3. Configure FreeRADIUS for testing PAP
a. Enabled 'bob' test user
b. radtest with 'bob' - SUCCESS
4. Configure FreeRADIUS for testing EAP
a. made certificates
b. eapol_test using 'peap-mschapv2.conf' - SUCCESS
Add RADIUS Client and Test
==========================
1. Configure Cisco Switch
a. Added AAA server and shared secret to switch
b. Added switch IP and shared secret to clients.conf
2. Tested EAPOL on Switch
a. 'test aaa group radius bob hello port 1812 legacy'
b. Result:
'Attempting authentication test to server-group radius using radius
User was successfully authenticated.'
3. MS-CHAPv2 is working from the switch with a test user! - SUCCESS
---
Here are my next steps, I want to make sure I didn't miss anything
before moving forward, as I'm in a 'good' state:
1. Server
a. Copy server certificate to /certs directory (star.company.net.crt)
b. Copy server key to /certs directory (star.company.net.key)
c. Copy CA cert to /certs directory (gd_bundle-g2-g1.crt)
d. Configure /mod-enables/eap.conf to certificate files
2. Client
a. Import CA file to trusted certificate store
b. Test Connectivity
Are there any steps I've missed? Do I need to keep the 'dh' in /certs/?
Thank you for your help,
Matthew
On Fri, Aug 5, 2016 at 9:30 AM, Matthew West <matthew.t.west at gmail.com> wrote:
> Hi Alan,
>
> Thank you for your response. I appreciate all the work you put into
> this project and your reply.
>
>> That's the root cause of the problem. You have a CA on the server, but haven't put the CA cert on the supplicant. > You MUST do that in order to get EAP-TLS to work.
>
>> See http://deployingradius.com/ for detailed instructions.
>
> I've used your site, solely, as a resource to set up FreeRADIUS. I've
> also used the wiki, but your site seems to work best. Thank you for
> helping me interpret the output. I'll post back with my results.
>
> Much appreciated,
>
> Matthew
>
> On Fri, Aug 5, 2016 at 5:33 AM, Alan DeKok <aland at deployingradius.com> wrote:
>> On Aug 4, 2016, at 11:12 PM, Matthew West <matthew.t.west at gmail.com> wrote:
>>>
>>> Follow up to last e-mail. Needed to use a different cert chain and
>>> have uploaded that to the server. Tried to authorize again and got a
>>> similar error, below. It appears the output means that the handshake
>>> failed due to a self-signed certificate in the chain.
>>
>> No. Please read *all* of the messages.
>>
>>> Thank you,
>>>
>>> Matthew
>>>
>>> [tls] Done initial handshake
>>> [tls] <<< TLS 1.0 Handshake [length 11fa], Certificate
>>> --> verify error:num=19:self signed certificate in certificate chain
>>> [tls] >>> TLS 1.0 Alert [length 0002], fatal unknown_ca
>>> TLS Alert write:fatal:unknown CA
>>
>> That's the root cause of the problem. You have a CA on the server, but haven't put the CA cert on the supplicant. You MUST do that in order to get EAP-TLS to work.
>>
>> See http://deployingradius.com/ for detailed instructions.
>>
>> Alan DeKok.
>>
>>
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list