Hi Ryan, As far as I remember, Windows does not support wildcard certificates. Regards
Message: 5 Date: Fri, 23 May 2014 16:48:41 +0200 From: Ryan De Kock <ryandekock1988@gmail.com> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Wild Card GoDaddy cert Message-ID: < CANek+E1Fm+_zWfbcyz2Nuax+BXp2O7czOteSXoNq09xfi7p6JA@mail.gmail.com> Content-Type: text/plain; charset="utf-8"
Hi,
I have a wildcard cert from godaddy.com.
I have tested the cert on Microsoft NPS & IAS and it works fine.
I'm sure it will work in freeradius too, however I can't figure it out.
I have godaddy.crt bundl.e.crt & godaddy.key.
I have added these to freeradius however it does work.
This is what windows does when I don't validate certificates
[eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 37 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Alert [length 0002], fatal access_denied TLS Alert read:fatal:access denied [peap] WARNING: No data inside of the tunnel. [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state ? [peap] FAILED processing PEAP: Tunneled data is invalid. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. } # server Cerebus
This is a successfull auth on my linux client
[eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv success [peap] Received EAP-TLV response. [peap] Success [eap] Freeing handler ++[eap] returns ok
tls {
certdir = ${confdir}/certs cadir = ${confdir}/certs private_key_file = ${certdir}/godaddy.key certificate_file = ${certdir}/godaddy.crt dh_file = ${certdir}/dh random_file = ${certdir}/random }
So Im not sure if its got to do with no using the cert chain or what I'm doing wrong but would appreciate any guidance
Thanks for all the responses. I don't mean to doubt you guys, you obviously know more than me, however, If import this certificate into MS and use it with NPS the clients are able to connect and it does work. I could be wrong but I think the issue has something to do with the fact that I have 2 .crt files, the chain and the actual cert. I tried to combine them in different orders into a file but that didn't work either. If it works when in NPS surley it will work in freeradius? On 23 May 2014 17:29, Rui Ribeiro <ruyrybeyro@gmail.com> wrote:
Hi Ryan,
As far as I remember, Windows does not support wildcard certificates.
Regards
Message: 5 Date: Fri, 23 May 2014 16:48:41 +0200 From: Ryan De Kock <ryandekock1988@gmail.com> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Wild Card GoDaddy cert Message-ID: < CANek+E1Fm+_zWfbcyz2Nuax+BXp2O7czOteSXoNq09xfi7p6JA@mail.gmail.com> Content-Type: text/plain; charset="utf-8"
Hi,
I have a wildcard cert from godaddy.com.
I have tested the cert on Microsoft NPS & IAS and it works fine.
I'm sure it will work in freeradius too, however I can't figure it out.
I have godaddy.crt bundl.e.crt & godaddy.key.
I have added these to freeradius however it does work.
This is what windows does when I don't validate certificates
[eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 37 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Alert [length 0002], fatal access_denied TLS Alert read:fatal:access denied [peap] WARNING: No data inside of the tunnel. [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state ? [peap] FAILED processing PEAP: Tunneled data is invalid. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. } # server Cerebus
This is a successfull auth on my linux client
[eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv success [peap] Received EAP-TLV response. [peap] Success [eap] Freeing handler ++[eap] returns ok
tls {
certdir = ${confdir}/certs cadir = ${confdir}/certs private_key_file = ${certdir}/godaddy.key certificate_file = ${certdir}/godaddy.crt dh_file = ${certdir}/dh random_file = ${certdir}/random }
So Im not sure if its got to do with no using the cert chain or what I'm doing wrong but would appreciate any guidance
What format did you use to get the cert instaled on your NPS server? Did you try to export that cert then try using that on the freeradius server? It might not be the "same" cert that you are trying to use on the freeradius server, I have had issues when converting between formats. On 27 May 2014 14:13, Ryan De Kock <ryandekock1988@gmail.com> wrote:
Thanks for all the responses.
I don't mean to doubt you guys, you obviously know more than me, however, If import this certificate into MS and use it with NPS the clients are able to connect and it does work.
I could be wrong but I think the issue has something to do with the fact that I have 2 .crt files, the chain and the actual cert. I tried to combine them in different orders into a file but that didn't work either.
If it works when in NPS surley it will work in freeradius?
On 23 May 2014 17:29, Rui Ribeiro <ruyrybeyro@gmail.com> wrote:
Hi Ryan,
As far as I remember, Windows does not support wildcard certificates.
Regards
Message: 5 Date: Fri, 23 May 2014 16:48:41 +0200 From: Ryan De Kock <ryandekock1988@gmail.com> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Wild Card GoDaddy cert Message-ID: < CANek+E1Fm+_zWfbcyz2Nuax+BXp2O7czOteSXoNq09xfi7p6JA@mail.gmail.com> Content-Type: text/plain; charset="utf-8"
Hi,
I have a wildcard cert from godaddy.com.
I have tested the cert on Microsoft NPS & IAS and it works fine.
I'm sure it will work in freeradius too, however I can't figure it out.
I have godaddy.crt bundl.e.crt & godaddy.key.
I have added these to freeradius however it does work.
This is what windows does when I don't validate certificates
[eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 37 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Alert [length 0002], fatal access_denied TLS Alert read:fatal:access denied [peap] WARNING: No data inside of the tunnel. [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state ? [peap] FAILED processing PEAP: Tunneled data is invalid. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. } # server Cerebus
This is a successfull auth on my linux client
[eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv success [peap] Received EAP-TLV response. [peap] Success [eap] Freeing handler ++[eap] returns ok
tls {
certdir = ${confdir}/certs cadir = ${confdir}/certs private_key_file = ${certdir}/godaddy.key certificate_file = ${certdir}/godaddy.crt dh_file = ${certdir}/dh random_file = ${certdir}/random }
So Im not sure if its got to do with no using the cert chain or what I'm doing wrong but would appreciate any guidance
Ryan, I am confident that a wildcard certificate does not work with Windows with PEAP where you validate it. Are you actually validating it properly? If you are, could it be that there is also a SAN in the certificate in addition to the wildcard CN that is allowing it to work? I have not tested this scenario, but it -might- work. Nick
guys... you're 100%, my bad. I completely forgot about the verisign cert we had for this exact reason. wild card cert does not work. On 27 May 2014 16:10, Nick Lowe <nick.lowe@gmail.com> wrote:
Ryan,
I am confident that a wildcard certificate does not work with Windows with PEAP where you validate it. Are you actually validating it properly?
If you are, could it be that there is also a SAN in the certificate in addition to the wildcard CN that is allowing it to work? I have not tested this scenario, but it -might- work.
Nick
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (4)
-
Bertalan Voros -
Nick Lowe -
Rui Ribeiro -
Ryan De Kock