Hi,
In my FreeRadius setup for authenticating WiFi devices with EAP-TLS, I use server- and client SSL certificates from CA provider ' X '. I understand that now everyone with knowledge of this fact, can get a client SSL cert (PKCS#12) from this CA provider X and can authenticate with my WPA2 Enterprise network.
No. If your server certificate is from a CA, the client can verify that your server is genuine (if the client side is configured correctly to actually check CA and server name). The *client* certificates /can/ come from the same CA or from a different CA. If you choose the same CA, then yes, you run into the issues below that everybody who got a client certificate from that same CA can authenticate to your network. Since there's no need to go down that route: don't. Issue client certificates from your own self-signed CA, and hand out client certs only to your own account holders. Then, no further checks are needed.
After reading the following from the README:
"In general, you should use self-signed certificates for 802.1x (EAP) authentication. When you list root CAs from other organisations in the "ca_file", you permit them to masquerade as you, to authenticate your users, and to issue client certificates for EAP-TLS."
Yep; that's good advice :-) It's written in a condensed way as it touches both sides: it's better for the server certs to be from a private CA/self-signed, and it is also better for the client certs to be from a private CA.
I would like to ask the following question. Is there something I can configure on the server side that only certain CommonName's and/or serial's can be used to authenticate correctly?
Yes. There are examples in the shipped tarball of FreeRADIUS for that I think. That does not mean that it's the best idea to go down that route.
Next to this question, I wonder why also a username (Benutzername) is asked in iOS when we use EAP-TLS with a certificate? I can fill out this field with whatever string and it authenticates in FreeRadius (when a correct cert is presented of course). screenshot: https://hilfe.uni-paderborn.de/images/thumb/4/4f/Eduroam_iOS7_04.png/250px-E...
I run version 3.0.11 on Ubuntu 14.04 LTS 64bit.
It's about roaming support. It's a client issue and not for this list, but anyway: If no username is selected, iOS will copy the CN or the eMail field from the cert and use that as username. /usually/ this already contains a domain suffix which can be used for routing, and /usually/ that domain matches the RADIUS realm settings. Sometimes it doesn't - in which case the certificate would work locally, but not in a roaming case where the request needs to be routed correctly. Imagine a client cert with CN="Edward Ulysses Roam" - that's no good for roaming. In this case, you need to configure a different username such as "eduroam@uni-paderborn.de" so that the request gets routed correctly. When you write above that you can use whatever string you like then probably you didn't try this at a remote hotspot. :-) Greetings, Stefan Winter
Thank you - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html