Server certificate confusion

Nick Howitt nick at howitts.co.uk
Thu Apr 19 21:48:23 CEST 2018 


On 19/04/2018 20:40, Nick Howitt wrote:
>
>
> On 19/04/2018 19:28, Alan Buxey wrote:
>> eapol_test never used to be part of the installed wpa_supplicant package
>> but various distros have changed their policy and now provide it (after
>> tickets being submitted from people like myself).
>>
>> Freeradius comes with several config scripts that can be used with
>> eapol_test (in src/test)
>>
>> alan
>>
>> On Thu, 19 Apr 2018, 18:12 Stefan Winter, <stefan.winter at restena.lu> 
>> wrote:
>>
>>> Hello,
>>>
>>> Now that's something to investigate.
>>>
>>> AFAIK, FreeRADIUS sends the certificate it has in config to the client.
>>> It doesn't check anything special (beyond well-formedness of the PEM 
>>> file).
>>>
>>> The error you are seeing in freeradius -X is most likely because
>>> FreeRADIUS /receives/ this error message from the /client/.
>>>
>>> If it were a genuine error inside FreeRADIUS, things wouldn't work for
>>> Windows clients.
>>>
>>> So you should probably take a very close look at eapol_test's debug
>>> output. If it is the one rejecting the incoming TLS server cert, 
>>> then it
>>> will print out something. If you're unlucky, it will just print the 
>>> same
>>> error message it is afterwards also sending to the server, but with a
>>> bit of luck there is a bit more detail on its side.
>>>
>>> You aren't by any chance doing this work for an eduroam participant? If
>>> so, our compliance check tools could be unleashed on the IdP 
>>> FreeRADIUS;
>>> I'd only need to know the realm then.
>>>
>>> Also, eapol_test is part of the wpa_supplicant suite (but indeed not
>>> compiled by all distros). So your self-compiled version was just as 
>>> good
>>> as the distro-supplied you now have.
>>>
>>> And the wpa_supplicant.conf is also being considered when using
>>> eapol_test. I'm surprised you get an EAP conversation going with a
>>> config file that has only two lines? You are relying on plentiful of
>>> defaults there. You would usually need to configure at least a username
>>> to use for the login attempt? Where do you supply that?
>>>
>>> Greetings,
>>>
>>> Stefan Winter
>>>
>>> Greetings,
>>>
>>> Stefan Winter
>>> -
>>> List info/subscribe/unsubscribe? See
>>> http://www.freeradius.org/list/users.html
>> -
>> List info/subscribe/unsubscribe? See 
>> http://www.freeradius.org/list/users.html
> This is all my bad as I try to deconstruct what my distro is doing. 
> First to answer some of your queries, I am running eapol_test with the 
> following command:
>
>    eapol_test -a10.0.2.15 -p1812 -sSEKRET
>    -ceapol_test-eaptls-standard.conf -r0
>
> and the conf file contains:
>
>    network={
>         ssid="DoesNotMatterForThisTest"
>         key_mgmt=WPA-EAP
>         eap=TLS
>         identity="test"
>         password="test"
>         ca_cert="/etc/raddb/certs/ca.pem"
>         client_cert="/etc/raddb/certs/test at example.org.pem"
>         private_key="/etc/raddb/certs/test at example.org.pem"
>         private_key_passwd="whatever"
>         eapol_flags=3
>    }
>
> It is now working correctly. The problem I had was that the distro 
> does not create a client.pem in its own certificate structure so I was 
> linking to the server.pem and this worked fine without the certificate 
> extensions. When I flipped back to the default installation and certs 
> I was still pointing my client cert to the server.pem file albeit in 
> the correct folder. Changing it to the correct client.pem and all 
> works. So a big sorry for wasting your time.
>
> But if you can help me with my other issue I'd really appreciate it. 
> In a domain environment, the user_name appears as 
> "user/machine.domain" and for the life of me I cannot find out how to 
> strip the machine.domain off. Bear in mind the "machine" changes with 
> every client so it could be laptop1.domain or desktopXYZ.domain. From 
> other posts it seems like I need to use proxy.conf but I can't work 
> out how. Even if I hardcode a realm as machine.domain, it does not 
> seem to strip it with:
>
>    realm machine.domain {
>           auth_pool = my_auth_failover
>    }
>
>  I've also seen a reference to a LOCAL realm but I don't understand 
> what to do with it.
>
> Nick
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
Oh and I know nothing about eduroam. I am interested in the ClearOS 
distro where the installation script is not doing as expected (so I am 
debugging it) and we can achieve a simple login but not a domain login.

More information about the Freeradius-Users mailing list