Ivan,b<br><br>I already do that with the Juniper Access Client. The problem is that the client certificate has the user's name as the Common Name and that is sent in the clear. PEAP/EAP-TLS sends the user's certificate through the tunnel obviating the issue. I admit this isn't a large problem but it would be a nice feature to have.<br>
<br>Jason<br><br><div class="gmail_quote">2008/12/9 <span dir="ltr"><<a href="mailto:tnt@kalik.net">tnt@kalik.net</a>></span>b<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<a href="http://wiki.freeradius.org/EAP" target="_blank">http://wiki.freeradius.org/EAP</a><br>
<br>
You should be able to set ananymous as user name for outer tunnel EAP-TLS<br>
negotiation on the supplicant and use EAP-TLS with identity hidden.<br>
<br>
Ivan Kalik<br>
Kalik Informatika ISP<br>
<br>
<br>
Dana 9/12/2008, "Jason Wittlin-Cohen" <<a href="mailto:jwittlincohen@gmail.com">jwittlincohen@gmail.com</a>> piše:<br>
<div><div></div><div class="Wj3C7c"><br>
>I'm attempting to setup PEAPv0/EAP-TLS which uses EAP-TLS as the inner<br>
>authentication method within PEAP. Unlike EAP-TLS, PEAPv0/EAP-TLS sends the<br>
>client certificate within the secure SSL tunnel, thus protecting the user's<br>
>identity. While RFC-5216 suggests that EAP-TLS can optionally support a<br>
>privacy mode in which the client certificate is pushed through the SSL<br>
>tunnel, I've not found any way to enable this option. I have no particual<br>
>interest in using PEAPv0/EAP-TLS other than the fact that I know it does<br>
>what I want to accomplish. I would be perfectly happy to use EAP-TLS in<br>
>Privacy mode, or PEAPv0/MSCHAPv2 with a required client certificate.<br>
>However, both these modes pass the client certificate in the clear.<br>
><br>
>Here's what my testing has shown:<br>
><br>
>EAP-TLS: Works with both Windows XP Supplicant and Juniper Odyssey Access<br>
>Client 4.8<br>
>PEAPv0/EAP-MSCHAPv2- Works with both Windows XP Supplicant and Juniper<br>
>Odyssey Access Client 4.8<br>
>PEAPv0/EAP-MSCHAPv2 + Requierd Client Certificate- Works with Juniper<br>
>Odyssey Access Client 4.8 (XP Supplicant doesn't support MSCHAPv2 +<br>
>Certificate)<br>
>PEAPv0/EAP-TLS- Fails on both supplicants<br>
><br>
>I don't think my TLS settings are improper, as both EAP-TLS and<br>
>PEAPv0/MS-CHAPv2 + Client Certifciate work fine. The debug logs shows the<br>
>client certificate verified properly.<br>
><br>
>I've tried pretty much every combination of PEAP options, and after each<br>
>permutation I forced a reauthentication so that I could analyze the packets<br>
>in Wireshark. No combination of settings forced the client certificate<br>
>through the SSL tunnel. I thought " use_tunneled_reply = yes" might<br>
>help, but it did not.<br>
><br>
>I have pasted the relevant configuration settings below as well as a full<br>
>log of the failure when I attempt to use PEAPv0/EAP-TLS.<br>
>The relevant settings: Other than "default_eap_type = "tls" my settings are<br>
>identical for PEAPv0/EAP-MSCHAPv2 which works fine.<br>
><br>
>The failure log seems to suggest that "tls" is not a supported<br>
>authentication mode within PEAP.<br>
><br>
>[files] users: Matched entry DEFAULT at line 200<br>
>++[files] returns ok<br>
>++[expiration] returns noop<br>
>++[logintime] returns noop<br>
>[pap] Found existing Auth-Type, not changing it.<br>
>++[pap] returns noop<br>
>Found Auth-Type = EAP<br>
>+- entering group authenticate {...}<br>
>*rlm_eap: No EAP session matching the State variable.*<br>
>*[eap] Either EAP-request timed out OR EAP-response to an unknown<br>
>EAP-request*<br>
>[eap] Failed in handler<br>
>++[eap] returns invalid<br>
>Failed to authenticate the user.<br>
>Login incorrect: [Jason Wittlin-Cohen] (from client Wireless port 0 via TLS<br>
>tunnel)<br>
>} # server inner-tunnel<br>
>[peap] Got tunneled reply code 3<br>
>[peap] Got tunneled reply RADIUS code 3<br>
>[peap] Tunneled authentication was rejected.<br>
>[peap] FAILURE<br>
><br>
>*PEAPv0/EAP-TLS Failure Log: *<a href="http://pastebin.com/m900e269" target="_blank">http://pastebin.com/m900e269</a><br>
>*PEAPv0/MSCHAPv2 Success Log:* <a href="http://pastebin.com/m16114697" target="_blank">http://pastebin.com/m16114697</a><br>
>*PEAPv.0/MSCHAPv2+Cert Success Log: *<a href="http://pastebin.com/m429d9c12" target="_blank">http://pastebin.com/m429d9c12</a><br>
>*EAP-TLS Success Log:* <a href="http://pastebin.com/m2b1c62f4" target="_blank">http://pastebin.com/m2b1c62f4</a><br>
><br>
>Relevant Settings:<br>
><br>
> eap {<br>
><br>
> default_eap_type = "peap"<br>
> timer_expire = 60<br>
> ignore_unknown_eap_types = no<br>
> cisco_accounting_username_bug = no<br>
> max_sessions = 2048<br>
> }<br>
> Module: Linked to sub-module rlm_eap_tls<br>
> Module: Instantiating eap-tls<br>
> tls {<br>
> rsa_key_exchange = no<br>
> dh_key_exchange = yes<br>
> rsa_key_length = 512<br>
> dh_key_length = 3072<br>
> verify_depth = 0<br>
> pem_file_type = yes<br>
> private_key_file = "/etc/freeradius/certs/server_key.pem"<br>
> certificate_file = "/etc/freeradius/certs/server_cert.pem"<br>
> CA_file = "/etc/freeradius/certs/cacert.pem"<br>
> dh_file = "/etc/freeradius/certs/dh3072.pem"<br>
> random_file = "/etc/freeradius/certs/random"<br>
> fragment_size = 1024<br>
> include_length = yes<br>
> check_crl = no<br>
> cipher_list = "HIGH"<br>
> make_cert_command = "/etc/freeradius/certs/bootstrap"<br>
> cache {<br>
> enable = no<br>
><br>
> peap {<br>
> default_eap_type = "tls"<br>
> copy_request_to_tunnel = no<br>
> use_tunneled_reply = yes<br>
> proxy_tunneled_request_as_eap = no<br>
> virtual_server = "inner-tunnel"<br>
> }<br>
><br>
> Module: Linked to sub-module rlm_eap_mschapv2<br>
> Module: Instantiating eap-mschapv2<br>
> mschapv2 {<br>
> with_ntdomain_hack = no<br>
><br>
>modules mschap:<br>
><br>
> Module: Instantiating mschap<br>
> mschap {<br>
> use_mppe = yes<br>
> require_encryption = yes<br>
> require_strong = yes<br>
> with_ntdomain_hack = no<br>
> }<br>
><br>
>Users:<br>
><br>
>"DEFAULT" Cleartext-Password := "**************************************",<br>
>EAP-TLS-Require-Client-Cert := Yes<br>
><br>
>Note: (*'s represent a 32 character randomly generated password)<br>
><br>
>Thanks in advance,<br>
><br>
>Jason<br>
><br>
>--<br>
>Jason Wittlin-Cohen<br>
>Yale Law School, Class of 2010<br>
><a href="mailto:jason.wittlin-cohen@yale.edu">jason.wittlin-cohen@yale.edu</a><br>
><br>
><br>
<br>
</div></div>-<br>
List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/list/users.html</a><br>
</blockquote></div><br><br clear="all"><br>-- <br>Jason Wittlin-Cohen<br>Yale Law School, Class of 2010<br><a href="mailto:jason.wittlin-cohen@yale.edu">jason.wittlin-cohen@yale.edu</a><br>