Alan, thanks. On 2015-12-25 4:07, Alan DeKok wrote:
On Dec 24, 2015, at 9:01 PM, Lukas Haase <lukashaase@gmx.at> wrote:
For my private network I would like to use 802.1X (managed switch) and WPA2 Enterprise via freeradius. I want to allow (1) username/password login with LDAP backend without installing any software/certificates on the clients
That doesn't work. You need a CA cert installed on the laptops / end machines.
I was afraid so and technically it makes sense (since there is not even an "anchor" that can relate the RADIUS server with the CN as it is for DNS). Currently it works with the self-signed certificate (but Windows presents the certificate warning). For my level of security in my private network this is acceptable. However, I found tons of references and howtos where it is stated that (a) installing certificates on the client is optional (b) using a server certificate signed by an official CA is recommended.
and (2) machine-level authentication by installing a simple certificate on the client.
Windows can do machine-level authentication, by automatically provisioning the certificates.
I cannot find good references to that; do you have a pointer? Conceptionally, would I need to add machines as user accounts (as for a PDC) or is it enough to have the client certificate signed by the server certificate? I would not want the former case.
For every other system, there is no "machine auth". There are only user accounts, and user credentials.
At least I could use a users file containing "machine" accounts with long passwords ... but this is again much more difficult than just deploying a simple certificate file. In that case: Why then sign the client certificate with the server cert at all?
[...]
I assume for (2) EAP-TLS is good. Is this true so far?
You can't do both on the same machine in the same account.
What do you mean by "same account"? I really can't use anything in parallel with PEAP?
Now I am confused regarding certificates.
For (1) I set the certificates in "tls" section of "eap" (since PEAP is based on TLS). Since I do not want to install any certificates on the clients, I would use a certificate officially signed by a CA trusted by the client (e.g. StartSSL, LetsEncrypt, VeriSign, ...).
That is not recommended. You should use a self-signed CA.
As mentioned, in this case too many broken howtos and references out there :(
[...]
Now the problem for (2) is that I need an own CA. I would assume the configuration for EAP-TLS goes into the "tls" section under "eap" but as written above this is already taken by PEAP!
While you can put two CA certificates into the raddb/certs directory... you *can't* use two different 802.1X configurations for the same machine. Even on Windows.
Again ... with machine you mean the client or the RADIUS server? Per "end user account" I *only* want to use PEAP-MSCHAPv2 (because it is most widely supported) using login/password information looked up via OpenLDAP (this works). Independently from an "end user account" I would like the authentication to succeed when the client presents a certificate signed by the server, same as it is the case for OpenVPN in PKI mode. I think this can be done with EAP-TLS. So if FreeRADIUS can't be set up serving EAP-TLS and PEAP-MSCHAPv2 at the same time, can't it be configured with virtual servers? For example, there is "modules/inner-eap" which contains a separate TLS configuration. I though this is the key to the correct configuration.
Can't be so difficult ... how to implement this scenario appropriately?
It's impossible. You can only have one 802.1X configuration per end user account.
What I mean: There are tons of deployments in companies supporting which present a username/password prompt when connecting to the network but connect automatically without a prompt when a certain certificate is installed on the system. I've seen that. So I assume this is a very common setup which shouldn't be too hard to implement. Thanks Luke