freeradius eap-ttls user/pass + cert
Hi All, Firstly I wanted to thank freeradius-devs for the tremendous job they are doing. And to the question itself: I had been planning to configure freeradius to be able to authenticate users by username/password from users-file. 1. I followed the readme-file under certs and made ca, server and client certificates MARK: README states that one has to delete index.txt and serial files, but these are needed when creating new certificates, and have to be recreated prior to generating new certificates!? 2. configured ttls/server cert password in eap.conf and everything worked fine. Then I read somewhere that username/password authentication alone is not secure as some information is passed in clear text?! So I decided to add extra protection by using certificates in addition to username/password. That's where problems started. I added "EAP-TLS-Require-Client-Cert = Yes" in "authorize-section" the default-site in sites-enabled. (I also tried to add it to users-file, which didn't work, what does work is DEFAULT EAP-TLS-Require-Client-Cert := Yes) using Fedora 16 as client, I now had to use certificate, I added earlier created client.pem, but server fails to authenticate with message "unknown ca cert", I also tried to use ca.pem, but with negative result. What could the problem be? Please don't reject the question by saying that everything is documented or at least point to the right document. I'll gladly post any config-files/logs on request. regards, Dan. -- View this message in context: http://freeradius.1045715.n5.nabble.com/freeradius-eap-ttls-user-pass-cert-t... Sent from the FreeRadius - User mailing list archive at Nabble.com.
Hi, On Thu, Feb 23, 2012 at 02:09:50AM -0800, grub3r wrote:
2. configured ttls/server cert password in eap.conf and everything worked fine. Then I read somewhere that username/password authentication alone is not secure as some information is passed in clear text?!
You need to decide what auth methods you want to support. PAP on its own sends the password in clear-text. Sounds like you are trying to set up EAP-TTLS/PAP, which means that the password is now inside a TLS tunnel, so no longer clear-text on the wire.
I added "EAP-TLS-Require-Client-Cert = Yes" in "authorize-section" the default-site in sites-enabled.
The magic code is something more like update control { EAP-TLS-Require-Client-Cert := Yes }
(I also tried to add it to users-file, which didn't work, what does work is DEFAULT EAP-TLS-Require-Client-Cert := Yes)
However, many supplicants can't do client certificates with TTLS (or PEAP), so this is likely to lead you into trouble unless you always know exactly what clients you're dealing with. If you want to use certificates for authentication then you're probably best to just use EAP-TLS (not TTLS).
using Fedora 16 as client, I now had to use certificate, I added earlier created client.pem, but server fails to authenticate with message "unknown ca cert", I also tried to use ca.pem, but with negative result.
The CA for client cert validation goes in CA_file - did you set that? Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
----- Original Message ----- From: Matthew Newton <mcn4@leicester.ac.uk> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Cc: Sent: Thursday, 23 February 2012, 11:49 Subject: Re: freeradius eap-ttls user/pass + cert Hi, On Thu, Feb 23, 2012 at 02:09:50AM -0800, grub3r wrote:
2. configured ttls/server cert password in eap.conf and everything worked fine. Then I read somewhere that username/password authentication alone is not secure as some information is passed in clear text?!
You need to decide what auth methods you want to support. PAP on its own sends the password in clear-text. Sounds like you are trying to set up EAP-TTLS/PAP, which means that the password is now inside a TLS tunnel, so no longer clear-text on the wire. I choose the TTLS because it's widely supported and might be used either with or without certificates. I would like to use username/password to securely authenticate users, that is encrypted username/password. You mean it's enough to only activate ttls as eap method in eap.conf and add a user to users file? isnt username tranferred in clear text?
I added "EAP-TLS-Require-Client-Cert = Yes" in "authorize-section" the default-site in sites-enabled.
The magic code is something more like update control { EAP-TLS-Require-Client-Cert := Yes } Yes, but it aslo works without ":" and can only be applied to default-file, applying to inner-tunnel makes no difference at all.
(I also tried to add it to users-file, which didn't work, what does work is DEFAULT EAP-TLS-Require-Client-Cert := Yes)
However, many supplicants can't do client certificates with TTLS (or PEAP), so this is likely to lead you into trouble unless you always know exactly what clients you're dealing with. wpa_supplicant under linux supports most of the eap methods, linux is my main OS. If you want to use certificates for authentication then you're probably best to just use EAP-TLS (not TTLS). I would not want to use TLS as it requires full PKI with both ca, server and client - certificates
using Fedora 16 as client, I now had to use certificate, I added earlier created client.pem, but server fails to authenticate with message "unknown ca cert", I also tried to use ca.pem, but with negative result.
The CA for client cert validation goes in CA_file - did you set that? I only edited ca, server and client cnf-files as described in README-file under certs-dir. when adding ca.pem, debug says that client did not provide cert, if I use client.pem, debug says unknown ca. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Thu, Feb 23, 2012 at 08:43:09PM +0000, vw58t1@yahoo.no wrote:
On Thu, Feb 23, 2012 at 02:09:50AM -0800, grub3r wrote:
2. configured ttls/server cert password in eap.conf and everything worked fine. Then I read somewhere that username/password authentication alone is not secure as some information is passed in clear text?!
You need to decide what auth methods you want to support.
PAP on its own sends the password in clear-text.
Sounds like you are trying to set up EAP-TTLS/PAP, which means that the password is now inside a TLS tunnel, so no longer clear-text on the wire.
I choose the TTLS because it's widely supported and might be used either with or without certificates. I would like to use username/password to securely authenticate users, that is encrypted username/password. You mean it's enough to only activate ttls as eap method in eap.conf and add a user to users file? isnt username tranferred in clear text?
If you enable pap in the default (outer) server, you will be able to authenticate with pap and clear-text passwords. If you only put pap in the inner-tunnel server, then it will have to be encrypted with the TTLS tunnel first. You can never stop a misconfigured client sending a clear-text password, of course... but you at least won't authenticate it.
Yes, but it aslo works without ":" and can only be applied to default-file, applying to inner-tunnel makes no difference at all.
Setting this in the inner-tunnel is too late. The TLS tunnel is up by then. Either = or := in this situation should be fine. := will force it to be set; = will not change the value if the attribute already exists.
If you want to use certificates for authentication then you're probably best to just use EAP-TLS (not TTLS).
I would not want to use TLS as it requires full PKI with both ca, server and client - certificates
By wanting to use client certificates with TTLS, you're essentially asking for the same thing. So - back to my original statement: You need to decide what auth methods you want to support. If you just want to ensure your passwords are not clear, then use EAP-TTLS (or PEAP), with e.g. PAP in the inner, and forget about the client certificates (remove EAP-TLS-Require-Client-Cert = Yes). If you want to authenticate with passwords, *and* force client certificates ("full PKI"), then you will need EAP-TLS-Require-Client-Cert = Yes, and you'll have to get the CA on both client & server, and issue certificates to both. You'll then need to manage a CA with issuing certificates to all your clients (which had better support TTLS with client certificates), etc. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
participants (3)
-
grub3r -
Matthew Newton -
vw58t1@yahoo.no