On Thu, 20 May 2010 10:43:14 +0300 Nikita Koshikov wrote:
Hello freeradius users/admins,
I'm trying to implement EAP-TLS authorization with freeradius and Active Directory Certificates Service, but I'm stuck here...
With keys/certificates, generated with freeradius makefile(/etc/raddb/certs) everything is working fine. Here is the hierarchy of keys generated by freeradius:
Ca.crt(+ca.key) || server.crt(+servers.key) //issuer ca.crt || client1.crt client2.crt ..... //issuer server.crt
Apart from this scheme, Active Directory stores certificates in a way:
Ca.crt(key in AD and cannot used by freeradius) || sub_ca.crt(key in AD and cannot used by freeradius) //issuer ca.crt || server.crt(+key) //issuer sub_ca.crt (this is for private_key_file and certificate_file in freeradius config) || client1.crt client2.crt ..... //issuer sub_ca.crt I'm concatenate ca.crt file with sub_ca.crt, openssl verify produces "OK". # openssl verify -CAfile ca.crt clent.crt clent.crt: OK
But trying to authenticate from client I got error - unknown_ca. I have attached full debug log. client(wpa_supplient) -> wifi-access(linksys with dd-wrt) -> server(freeradius-2.1.7) wpa_supplient.conf: network={ ssid="work" proto=RSN key_mgmt=WPA-EAP pairwise=CCMP eap=TLS identity="radius" ca_cert="/home/work/ca.crt" client_cert="/home/work/wifi_client.crt" private_key="/home/work/wifi_client.key" private_key_passwd="" priority=1 }
freeradius relevant section: tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "/etc/raddb/certs/win/server.key" //generated from sub_ca certificate_file = "/etc/raddb/certs/win/server.crt" //generated from sub_ca CA_file = "/etc/raddb/certs/win/ca.crt" //concatenated ca.crt + sub_ca.crt from windows store dh_file = "/etc/raddb/certs/dh" //generated by makefile random_file = "/etc/raddb/certs/random" //generated by makefile fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" }
Note: Server.crt and client.crt has all necessary extensions(OIDs) - TLS Web Server Authentication and TLS Web Client Authentication
My question - is it able to organize such scheme - freeradius + windows certificate center? Is client.crt MUST be issued by server.crt or they both MAY be issued by higher level ca, like Active Directory does?
If this has been discussed before - please, point me in right direction.
Anyone ?