On Tue, Mar 14, 2017 at 12:56:08AM +0100, Herman Øie Kolden wrote:
I am running FreeRADIUS 2.2.5 on Debian 8.7 (Jessie). The RADIUS server is using TTLS+PAP.
I am trying to find a good way to authenticate the server to Windows clients. With macOS, Linux, Android etc., I am using a custom self signed CA certificate. On these devices it is possible to specify that this certificate is only usable for a specific SSID. However, for Windows I have found no way to accomplish this. To make it work, I have to install the CA certificate in the "Trusted Root CA" store. This is rather inconvenient.
First of all, thanks to everyone for your responses. I have found a solution: Make two eap modules, eap-pub and eap-priv, using certificates signed by respectively LE and our private CA. Then, in outer-tunnel, I specify authorize { ... if ( "%{User-Name}" == "windows" ) { eap-pub { ok = return } } else { eap-priv { ok = return } } ... } I am not very acquainted with FreeRADIUS config, so I am probably doing this in an ugly way, but the main idea is as follows: for Windows clients, install a profile with Anonymous identity "windows". For non-Windows clients, have Anonymous identity be something else. With this, I accomplish the following: 1. Windows users install a profile that uses the LE Root CA to verify "radius.example.com" 2. Non-Windows users install a profile/config that uses our private CA to verify a non-specified server URL Some security concerns that have been mentioned: 1. Wouldn't this allow any server using an LE cert be able to impersonate my RADIUS server? * No. Non-Windows still use the private CA. Windows users specify server URL in the profile, so only an LE cert for radius.example.com works. 2. Wouldn't this allow any client with an LE cert to be authenticated? * No. Client authentication in my organization doesn't use client certificates. To be extra certain of this, I have removed the "CA_file" option entirely. I know this solution is kind of random, and possibly a misuse of Anonymous identity. However, we don't utilize this field anyways, and it works! Please enlighten me if this is an abomination, or if I have misunderstood anything :) -- Herman Øie Kolden Trondheim, Norway