AD Auth Question

Mon Jan 1 16:26:58 CET 2018

Alan

Great I info I will grab the files from the source online and run the eapol_test.  Not sure what you mean by: which store?

And finally: 

>> I would use the certificates on NPS that I generated for FR to prove but the system would not use them as the name of that host does not match the certificate and you can’t specify a non matched certificate to be used in NPS.

>note that host name has nothing to do with cert name in RADIUS/EAP world - its just a certificate that is being presented to the client which is checked locally for basic things - unlike eg web (HTTPS) where DNS etc is used to check things match.

>its usually a quite basic/overlooked thing that causes these initial issues.....then you just carry on and forget about the issue until something similar hits you the next time you create a server ;-)

Correct, that is why I tried the NPS cert on FR, was just stating that I can't try the FR cert on NPS.

Here's to hopping that this is not an openssl or openssl library issue as pretty much means I am going to be stuck with two different types of radius servers but will hopefully know more after some additional testing that you provided.

Thanks

Jeremy 

-----Original Message-----
From: Freeradius-Users [mailto:freeradius-users-bounces+jmartin=emcc.edu at lists.freeradius.org] On Behalf Of Alan Buxey
Sent: Monday, January 1, 2018 10:10 AM
To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Subject: Re: AD Auth Question

hi,

> So at this point I am beyond certain that I have valid certificates and that those are trusted.  The ca is the ca for the domain and the server certificate has the correct oid attributes to support the authentication, they paths on the server have been verified and as previously mentioned I have even used certs from my Windows NPS server on this server to make sure trust and certs were good.

if FR starts up, doesnt complain or chuck errors about certs (and in the debug output you will see the file its reading) then the issue lies elsewhere - could be an OpenSSL issue, could be that the openssl libraries are not negotiating with your client correctly

> I think there is little disagreement that the issues on the challenge response part as comparing the trace and the event log of the client has the client generating the “Explicit Eap failure received”. When I mentioned disabling validation on the client I am referring to the need for the client to validate the trust of the certificates being used by the server i.e under the clients 802.1x profile on the security tab, properties and then the “Verify the server’s identity by validating the certificate”.  In this case I know the certificate I have specified is valid and issued from a trusted ca, my question really is how to I validate that FR is actually using the certificate and is generating valid data using the specified certificate as the behavior of the client seems to indicate that it is not as I know the following:

okay - easy check here - use the eapol_test (its part of the wpa_supplicant package) - FreeRADIUS comes with example files to use with eapol_test (in the src/tests directory of the main source code
archive)
take the relevant one - eg the PEAP test, modify to your requirements and then use eapol_test with the local server cert saving option - you will then see whats going on eg with eapol_test running on the FR server itself

eapol_test -c eap-peap.conf -s testing123 -h localhost -o ca_cert.pem

(arguments might not be quite correct...this is from memory and last time i used that command was a couple of months back)

now read/check that ca_cert.pem (openssl x509 -in ca_cert.pem -noout -text )

> 4. When viewing the certificate of FR on the client (file copy) the 
> certificate indicates that it is trusted and has the correct extended 
> use attributes

which store?

> I would use the certificates on NPS that I generated for FR to prove but the system would not use them as the name of that host does not match the certificate and you can’t specify a non matched certificate to be used in NPS.

note that host name has nothing to do with cert name in RADIUS/EAP world - its just a certificate that is being presented to the client which is checked locally for basic things - unlike eg web (HTTPS) where DNS etc is used to check things match.

its usually a quite basic/overlooked thing that causes these initial issues.....then you just carry on and forget about the issue until something similar hits you the next time you create a server ;-)

alan

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html