TTLS+PAP with Windows

Herman Øie Kolden herman at samfundet.no
Fri Mar 17 00:39:48 CET 2017 

On Tue, Mar 14, 2017 at 12:56:08AM +0100, Herman Øie Kolden wrote:

> I am running FreeRADIUS 2.2.5 on Debian 8.7 (Jessie). The RADIUS server
> is using TTLS+PAP.
> 
> I am trying to find a good way to authenticate the server to Windows
> clients. With macOS, Linux, Android etc., I am using a custom self signed CA
> certificate. On these devices it is possible to specify that this
> certificate is only usable for a specific SSID. However, for Windows I
> have found no way to accomplish this. To make it work, I have to install
> the CA certificate in the "Trusted Root CA" store. This is rather
> inconvenient.

First of all, thanks to everyone for your responses. I have found a
solution:

Make two eap modules, eap-pub and eap-priv, using certificates signed by
respectively LE and our private CA.

Then, in outer-tunnel, I specify

authorize {
	...
	if ( "%{User-Name}" == "windows" ) {
		eap-pub {
			ok = return
		}
	}
	else {
		eap-priv {
			ok = return
		}
	}
	...
}

I am not very acquainted with FreeRADIUS config, so I am probably doing
this in an ugly way, but the main idea is as follows: for Windows
clients, install a profile with Anonymous identity "windows". For
non-Windows clients, have Anonymous identity be something else.

With this, I accomplish the following:
1. Windows users install a profile that uses the LE Root CA to verify
"radius.example.com"
2. Non-Windows users install a profile/config that uses our private CA to
verify a non-specified server URL

Some security concerns that have been mentioned:

1. Wouldn't this allow any server using an LE cert be able to
impersonate my RADIUS server?
* No. Non-Windows still use the private CA. Windows users specify server
  URL in the profile, so only an LE cert for radius.example.com works.

2. Wouldn't this allow any client with an LE cert to be authenticated?
* No. Client authentication in my organization doesn't use client
  certificates. To be extra certain of this, I have removed the
  "CA_file" option entirely.

I know this solution is kind of random, and possibly a misuse of
Anonymous identity. However, we don't utilize this field anyways, and it
works!

Please enlighten me if this is an abomination, or if I have
misunderstood anything :)



-- 
Herman Øie Kolden
Trondheim, Norway

More information about the Freeradius-Users mailing list