Help in moving FR1.x to 3.x EAP-TLS setup.
So, I've got a current FR setup, version 2.2.8 [although the last time I've done this was under a 1.x FR version - these configs are under an upgraded distro version - so the newer FR setups are somewhat confusing for me. This is all under Ubuntu - this setup started life as a 12.04 (IIRC) setup, and got upgraded to 16.04. I'm now trying to migrate it to a fresh setup on 18.04.] I'm trying to move it to a new FR setup under 3.0.16. It's a Wifi WPA setup - using EAP-TLS with certificates/key only. [Not PEAP etc.] And I'm having trouble. Rather than have you look at a debug - perhaps I should start here. I'm not sure I'm doing the right steps for setup/configuration. Moving clients.conf is obvious. [Though I've added the newer "ipaddr" to them.] I have created new certs/keys/ca - and I'm pretty sure I've done that correctly. [Lets assume I have for now - we'll come back to that later, if needed. I can always test with the old certs/keys too, because I know those work. I'm using GNUTLS to handle CA/Cert/Key creation, and I know I need to add the OID's for "server" and "client" as applicable. And I've verified these are present in the relevant certs.] Now, to where I'm quite unsure... I need to edit the EAP configuration in ./mods-available, and create a link to it in ./mods-enabled - right? --- Here's what is in my current eap [in FR 2.2.8] - though the eap.conf file isn't in the mods-available directory, it's in the main FR config dir. I suppose I could probably leave it that way, but I'm trying to do this the "new" way. --- eap { default_eap_type = tls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 #md5 { #} # #leap { #} # #gtc { # auth_type = PAP #} tls { certdir = ${confdir}/certs cadir = ${confdir}/certs #private_key_password = whatever private_key_file = ${certdir}/radius.somedom.local.key certificate_file = ${certdir}/radius.somedom.local.pem CA_file = ${cadir}/ca.pem dh_file = ${certdir}/dh random_file = /dev/urandom CA_path = ${cadir} check_crl = yes cipher_list = "DEFAULT" make_cert_command = "${certdir}/bootstrap" cache { enable = no lifetime = 24 # hours max_entries = 255 } verify { } } #ttls { # default_eap_type = md5 # copy_request_to_tunnel = no # use_tunneled_reply = no # virtual_server = "inner-tunnel" #} #peap { # default_eap_type = mschapv2 # copy_request_to_tunnel = no # use_tunneled_reply = no # virtual_server = "inner-tunnel" #} #mschapv2 { #} } --- Though to start, I think I'll avoid checking a CRL - just to keep things simple. Do, I just essentially paste this config straight into the new one? [I don't think so - there's a new section "tls-config tls-common" and I'm unsure about that.] I don't believe there are any changes I made previously [or need to make now] to radiusd.conf? Is there anything else I need to do? Thanks in advance! -Greg
On May 29, 2019, at 11:48 AM, Gregory Sloop <gregs@sloop.net> wrote:
So, I've got a current FR setup, version 2.2.8 [although the last time I've done this was under a 1.x FR version - these configs are under an upgraded distro version - so the newer FR setups are somewhat confusing for me. This is all under Ubuntu - this setup started life as a 12.04 (IIRC) setup, and got upgraded to 16.04. I'm now trying to migrate it to a fresh setup on 18.04.]
That's good.
And I'm having trouble. Rather than have you look at a debug - perhaps I should start here. I'm not sure I'm doing the right steps for setup/configuration.
See http://deployingradius.com That contains detailed instructions for (a) starting from a default config, and (b) having EAP / WiFi auth work.
Here's what is in my current eap [in FR 2.2.8] - though the eap.conf file isn't in the mods-available directory, it's in the main FR config dir. I suppose I could probably leave it that way, but I'm trying to do this the "new" way.
Please don't move your v2 config to v3. Start with the default configuration in v3, in a fresh v3 installation. Then, gradually re-create the *functionality* piece by piece, with testing.
Though to start, I think I'll avoid checking a CRL - just to keep things simple. Do, I just essentially paste this config straight into the new one?
Please no.
[I don't think so - there's a new section "tls-config tls-common" and I'm unsure about that.]
It's because EAP-TLS, TTLS, and PEAP all share common TLS configuration. Instead of replicating it 3 times, there's a "common TLS" configuration.
I don't believe there are any changes I made previously [or need to make now] to radiusd.conf? Is there anything else I need to do?
If you made no more changes, then no. Alan DeKok.
I'm not sure I'm doing the right steps for setup/configuration.
AD> See http://deployingradius.com AD> That contains detailed instructions for (a) starting from a AD> default config, and (b) having EAP / WiFi auth work.
Here's what is in my current eap [in FR 2.2.8] - though the eap.conf file isn't in the mods-available directory, it's in the main FR config dir. I suppose I could probably leave it that way, but I'm trying to do this the "new" way.
AD> Please don't move your v2 config to v3. Start with the default AD> configuration in v3, in a fresh v3 installation. Then, gradually AD> re-create the *functionality* piece by piece, with testing. The web page you point to isn't very helpful for EAP-TLS - at least the config portion, which is what I'm having issues with. But that said, I did get it working with the "old" eap config. However, I need some guidance in putting that into the new config layout/style. It looks like the eap section is pretty much unchanged, except for hollowing out tls{} and moving it all into tls-common{} and pointing the tls section at tls-common. Otherwise the config appears unchanged, really. So, does this look about right? [Obviously substituting the proper values for my setup.] --- eap { default_eap_type = tls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = ${max_requests} tls-config tls-common { private_key_password = whatever private_key_file = /etc/ssl/private/ssl-cert-snakeoil.key certificate_file = /etc/ssl/certs/ssl-cert-snakeoil.pem ca_file = /etc/ssl/certs/ca-certificates.crt #auto_chain = yes #psk_identity = "test" #psk_hexphrase = "036363823" dh_file = ${certdir}/dh #random_file = /dev/urandom #fragment_size = 1024 #include_length = yes #check_crl = yes #check_all_crl = yes ca_path = ${cadir} #allow_expired_crl = no #check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd" #check_cert_cn = %{User-Name} cipher_list = "DEFAULT" cipher_server_preference = no #disable_tlsv1_2 = no #disable_tlsv1_1 = no #disable_tlsv1 = no #tls_min_version = "1.0" #tls_max_version = "1.2" ecdh_curve = "prime256v1" cache { enable = no lifetime = 24 # hours #name = "EAP module" #persist_dir = "${logdir}/tlscache" } } tls { # Point to the common TLS configuration tls = tls-common } } ---
On May 29, 2019, at 4:55 PM, Gregory Sloop <gregs@sloop.net> wrote:
The web page you point to isn't very helpful for EAP-TLS - at least the config portion, which is what I'm having issues with.
It's not that more complex. Configure the server / CA certificate as described in the web page. Issue a client certificate using the CA. It *will* work. If you use eapol_test as described in that page, it's simple to add client configurations for EAP-TLS. In v3, sample configuration for eapol_test are in src/tests/eap*.conf
But that said, I did get it working with the "old" eap config.
However, I need some guidance in putting that into the new config layout/style. It looks like the eap section is pretty much unchanged, except for hollowing out tls{} and moving it all into tls-common{} and pointing the tls section at tls-common.
Mostly, yes.
Otherwise the config appears unchanged, really.
So, does this look about right?
It's not really useful to read detailed configurations. a) did you copy the values from the old config to the new config? b) does it work when you test it? If so it's fine. Alan DeKok.
AD> It's not that more complex. Configure the server / CA AD> certificate as described in the web page. Issue a client AD> certificate using the CA. It *will* work. AD> If you use eapol_test as described in that page, it's simple to AD> add client configurations for EAP-TLS. In v3, sample AD> configuration for eapol_test are in src/tests/eap*.conf I don't see any of that ^^^ in Ubuntu. I'm puzzled. Perhaps FR3 from sources is way different than FR3 in Ubuntu 18.04 - but I'm pretty sure you'll need an eap[.conf] cofigured in the /mods-available and linked in the /mods-enabled directory to make this work. Thus, you can't just create a CA/Cert/Key and EAP-TLS 'just works' as per http://deployingradius.com/documents/configuration/eap.html - at least not with Ubuntu. I'm fine with having to configure eap, but at least on Ubuntu it won't work unless you configure EAP and put a link [or the actual config] in /etc/freeradius/3.0/mods-enabled. Probably I'll try to work up a how-to for Ubuntu 18.04 - since the WPA-Enterprise/Radius howto on the wiki is at least 10 years old, and doesn't reflect the realities of 2.x or 3.x, or anything newer than Windows XP. I stand a few of these up, perhaps every 10 years or the like - so I'm never going to become a FR guru. Having something modestly straight-forward, without having to wade through a bunch of documentation would be helpful. -Greg
On May 29, 2019, at 6:44 PM, Gregory Sloop <gregs@sloop.net> wrote:
AD> If you use eapol_test as described in that page, it's simple to AD> add client configurations for EAP-TLS. In v3, sample AD> configuration for eapol_test are in src/tests/eap*.conf
I don't see any of that ^^^ in Ubuntu.
The source code *is* available on github, and via "tar" files from the main web site.
I'm puzzled. Perhaps FR3 from sources is way different than FR3 in Ubuntu 18.04 - but I'm pretty sure you'll need an eap[.conf] cofigured in the /mods-available and linked in the /mods-enabled directory to make this work.
Yes. But the default configuration does that.
Thus, you can't just create a CA/Cert/Key and EAP-TLS 'just works' as per http://deployingradius.com/documents/configuration/eap.html - at least not with Ubuntu.
Maybe Ubuntu broke the default configuration, but I doubt it.
I'm fine with having to configure eap, but at least on Ubuntu it won't work unless you configure EAP and put a link [or the actual config] in /etc/freeradius/3.0/mods-enabled.
That link should be added in the default configuration.
Probably I'll try to work up a how-to for Ubuntu 18.04 - since the WPA-Enterprise/Radius howto on the wiki is at least 10 years old, and doesn't reflect the realities of 2.x or 3.x, or anything newer than Windows XP.
The examples on the Wiki are from 3.0. They work. The main issue is that Debian systems recently switched the config file from /etc/freeradius to /etc/freeradius/3.0. But that's really the only change.
I stand a few of these up, perhaps every 10 years or the like - so I'm never going to become a FR guru. Having something modestly straight-forward, without having to wade through a bunch of documentation would be helpful.
Again, the default configuration works. Read the configuration files, the comments, and it will be pretty straightforward. What doesn't work is copying config files from v2 to v3. That's just impossible across major version upgrades. What will work is following my guide, at least for TTLS and PEAP. What will work is using the eapol_test configs from the source tree. Alan DeKok.
participants (2)
-
Alan DeKok -
Gregory Sloop