Hello, I have got a few questions about radius and buy an original Certificate. Firsts thank you for the help here, but I can’t find an option for search on all post, is this possible ?? only find this: For example only can find post from this mount http://lists.freeradius.org/pipermail/freeradius-users/2017-January/thread.h... Is for don’t disturb with my questions is are answered, sorry. And now my questions, first I have got running my freeradius installation 3.10 on ubuntu) with AD Auth, but with limitations, because I need install my self-signed cert on all device for connect to wifi. I don’t want this (I don’t want install the certs), and I need buy a real cert for a real CA, I know ,but I never buy one for this. (I never buy a certfor radius, web or similar) I need buy a real cert, where I can buy ?? recommendations webs?? And witch type ?? I see a lot of certs, and I don’t know the certification specification.( a lot of prices and options) Please a direct links if possible to correct cert. I never buy an original cert and I don’t know process. When I receive the certificates is like certs on the folder?? Need change data??? How can use this certs on my radius install?? Are 3, 5, 20 files ???? where i can find info about this ?? (On docs i reffer) Need a domain for this ?? can i use the cert from a Web (typical ssl cert that is used for web?? I see a lot of info on internet for use self-signed cert, but I can’t find info on documentations or on my Ubuntu install when use real certs. (Is very possible I don’t find) Thank you for your time when you read me, and sorry if a newbie questions. Thank you in advanced, i dont want confuse with this and spend money with this.
I don’t want this (I don’t want install the certs) This is the last thing you want to do. The consequence is that any device that has a cert signed by that CA will be authorized to use your network.
If you're too lazy to install the certs, you're better off dropping EAP-TLS (which I assume is what you're trying to do) altogether and going for something username/password based instead.
On 30/01/2017 11:51, Spider s wrote:
And now my questions, first I have got running my freeradius installation 3.10 on ubuntu) with AD Auth, but with limitations, because I need install my self-signed cert on all device for connect to wifi.
I don’t want this (I don’t want install the certs), and I need buy a real cert for a real CA, I know ,but I never buy one for this.
I've been down this path, and I'm afraid you'll find it's a dead end. The problem is that some clients (specifically Android and Linux) have no way to bind a particular SSID to a particular certificate *identity*. They will accept any certificate signed by the selected CA. What it means is, you are forced to create a throw-away CA purely for RADIUS use. Even if you run your own existing private CA, you can't use it: that's because anyone who has a certificate from your CA would be able to set up a rogue access point and intercept everyone else's traffic. Windows, OSX and (I think) iOS don't have this problem. You can create profiles for them which only accept a certificate with a given identity or identifies (say, "wireless.yourdomain.com"). You can then get this cert from a public CA - even for free from Letsencrypt. If the access point presents a certificate with a different identity, the client will refuse to connect. But your Android and Linux users will be totally insecure. If you configured them to accept (say) the Letsencrypt CA, they will accept *any* certificate from the Letsencrypt CA, and happily send both their credentials and all their network traffic via the rogue access point. This IMO is a major flaw in wpa_supplicant, but that's just how it is. In any case, it's very important that you don't let your clients simply connect to your access point and click through all the prompts - they must install a pre-configured profile. If they don't, they will most likely have an insecure setup. EAP-PEAP is highly insecure by default. There *is* a way to do strong mutual password authentication without certificates: it's called EAP-pwd. It's supported by FreeRADIUS, Linux and Android. But unfortunately it's not implemented in Windows or OSX :-( Regards, Brian.
On 30/01/2017 15:52, Brian Candler wrote:
On 30/01/2017 11:51, Spider s wrote:
And now my questions, first I have got running my freeradius installation 3.10 on ubuntu) with AD Auth, but with limitations, because I need install my self-signed cert on all device for connect to wifi.
I don’t want this (I don’t want install the certs), and I need buy a real cert for a real CA, I know ,but I never buy one for this.
I've been down this path, and I'm afraid you'll find it's a dead end.
The problem is that some clients (specifically Android and Linux) have no way to bind a particular SSID to a particular certificate *identity*. They will accept any certificate signed by the selected CA.
What it means is, you are forced to create a throw-away CA purely for RADIUS use. Even if you run your own existing private CA, you can't use it: that's because anyone who has a certificate from your CA would be able to set up a rogue access point and intercept everyone else's traffic.
There's an additional issue. In Android, if you install your own trusted CA, then every time your phone boots up you get a scary notification saying "Network May Be Monitored by an unknown third party". If you click on it, it then says "A third party is capable of monitoring your network activity, including emails, apps and secure websites." If you dismiss it, it comes back after a few days or weeks. Googling around, the only ways I can find to disable this involve rooting your phone - which is not exactly in the spirit of maintaining good security - or deleting the cert, which gets you back to square one, with the very real risk that people will connect to your network with *no* cert validation at all. Does anyone have a way around this? Or do we just have to train users to ignore this error? Regards, Brian.
the error is dependant on the version of Android and is no longer an issue (IIRC) in latest versions. the error would pop back up after a reboot on those phones 'affected' - its a Googleism - and wrong of them to treat eg enterprise intranet CAs etc in this way. alan On 3 May 2017 at 19:54, Brian Candler <b.candler@pobox.com> wrote:
On 30/01/2017 15:52, Brian Candler wrote:
On 30/01/2017 11:51, Spider s wrote:
And now my questions, first I have got running my freeradius installation 3.10 on ubuntu) with AD Auth, but with limitations, because I need install my self-signed cert on all device for connect to wifi.
I don’t want this (I don’t want install the certs), and I need buy a real cert for a real CA, I know ,but I never buy one for this.
I've been down this path, and I'm afraid you'll find it's a dead end.
The problem is that some clients (specifically Android and Linux) have no way to bind a particular SSID to a particular certificate *identity*. They will accept any certificate signed by the selected CA.
What it means is, you are forced to create a throw-away CA purely for RADIUS use. Even if you run your own existing private CA, you can't use it: that's because anyone who has a certificate from your CA would be able to set up a rogue access point and intercept everyone else's traffic.
There's an additional issue.
In Android, if you install your own trusted CA, then every time your phone boots up you get a scary notification saying "Network May Be Monitored by an unknown third party". If you click on it, it then says "A third party is capable of monitoring your network activity, including emails, apps and secure websites."
If you dismiss it, it comes back after a few days or weeks.
Googling around, the only ways I can find to disable this involve rooting your phone - which is not exactly in the spirit of maintaining good security - or deleting the cert, which gets you back to square one, with the very real risk that people will connect to your network with *no* cert validation at all.
Does anyone have a way around this? Or do we just have to train users to ignore this error?
Regards,
Brian.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hello, thank you for you advise, but the problem is that i use active directory for auth, but olds printers and AP cant install the certs. I need a solution for the users and dont need install the cert if possible. I dont know if i can use a auto signed from the active directoy server and dont need install certs, because is it inherited. I am not lazy to install certs, is a problem for easy usage of users and full compatibility. Thank you for you time. On Mon, Jan 30, 2017 at 12:51 PM, Spider s <spidersoftware@gmail.com> wrote:
Hello, I have got a few questions about radius and buy an original Certificate.
Firsts thank you for the help here, but I can’t find an option for search on all post, is this possible ?? only find this:
For example only can find post from this mount
http://lists.freeradius.org/pipermail/freeradius-users/ 2017-January/thread.html
Is for don’t disturb with my questions is are answered, sorry.
And now my questions, first I have got running my freeradius installation 3.10 on ubuntu) with AD Auth, but with limitations, because I need install my self-signed cert on all device for connect to wifi.
I don’t want this (I don’t want install the certs), and I need buy a real cert for a real CA, I know ,but I never buy one for this. (I never buy a certfor radius, web or similar)
I need buy a real cert, where I can buy ?? recommendations webs??
And witch type ?? I see a lot of certs, and I don’t know the certification specification.( a lot of prices and options) Please a direct links if possible to correct cert.
I never buy an original cert and I don’t know process. When I receive the certificates is like certs on the folder?? Need change data??? How can use this certs on my radius install?? Are 3, 5, 20 files ???? where i can find info about this ?? (On docs i reffer)
Need a domain for this ?? can i use the cert from a Web (typical ssl cert that is used for web??
I see a lot of info on internet for use self-signed cert, but I can’t find info on documentations or on my Ubuntu install when use real certs. (Is very possible I don’t find)
Thank you for your time when you read me, and sorry if a newbie questions.
Thank you in advanced, i dont want confuse with this and spend money with this.
On 01/02/2017 10:01, Spider s wrote:
Hello, thank you for you advise, but the problem is that i use active directory for auth, but olds printers and AP cant install the certs. Access Points don't have, or even check, certificates. The certificate goes in the RADIUS server and the EAP messages are forwarded end-to-end:
client <----------> access point <-----------> RADIUS < . . . . . . EAP request . . . . . . > server So there's zero problem with old APs. I'm not sure what you mean by printers in this context. Why would it need a certificate? Are you saying that you have a wireless printer, which *does* support WPA-Enterprise with EAP-PEAP/MSCHAPv2 for wireless access, but has a hard-coded set of root certificates?? I have never seen such a printer. I'd guess it's probably insecure anyway and doesn't check the root certificate at all. Try it. And if it doesn't work, connect it with an ethernet cable instead.
I need a solution for the users and dont need install the cert if possible. Your users will be able to connect without the cert; they'll just click through a few prompts. But it will be totally insecure.
Using a certificate from a trusted CA *doesn't help*, because they'll still have to click through a bunch of prompts in order to connect, and they won't be able to distinguish your signed cert from someone else's signed cert. For example, say I legitimately own the domain "evil.com". I buy a certificate for "wireless.evil.com". I set up an access point with your SSID. Your clients attach to it, and they will happily send me their passwords, and I will happily man-in-the-middle all their network traffic. They will only refuse to talk to my evil access point if either: 1. They have been configured to recognise only a specific named certificate, e.g. "wireless.yourdomain.com". This requires explicit configuration. Or: 2. They have been configured only to accept a certificate signed by a private CA which you have set up. This requires explicit configuration. In both cases, it's only secure if you do the explicit configuration, which means creating a profile which you load into their device. So you may as well learn how to do it. Option 1 is not available for Android and Linux clients. So you are forced to option 2.
I am not lazy to install certs, is a problem for easy usage of users and full compatibility.
I know what you mean, I wish this was sane - it would be great if everyone used FQDNs for SSIDs, and clients matched the SSID to the certificate identity. Unfortunately, it's not sane. Welcome to the real world. Regards, Brian.
Spider S wrote:
I need buy a real cert, where I can buy ?? recommendations webs??
We're currently using a Godaddy cert, but now that we have stopped supporting really old Windows which do not have the Entrust root pre-installed, we may do that instead. What you need to do is look at the root certificates present in the OS store of the devices you are supporting, and find the common denominator.
And witch type ?? I see a lot of certs, and I don’t know the certification specification.( a lot of prices and options) Please a direct links if possible to correct cert.
Just a regular web certificate will work except for very old windows clients where a special attribute is needed... it is sometimes hard to get CAs to issue this attribute. See: http://lists.freeradius.org/pipermail/freeradius-users/2006-October/013613.h... Also there may be some clients that are too dumb to figure out that OCSP is not possible before they have an IP address, so some extended validation attributes may cause issues if present.
I never buy an original cert and I don’t know process.
You generate a .csr, and using the CA's web interface you submit it. This CSR should not include your key and the CA should not ask for the key or they are up to something sleezy. Some CAs will send you back a code which you need to post to a page on a web server under the same domain as the cert is requested for, for them to verify you own that domain.
Need a domain for this ?? can i use the cert from a Web (typical ssl cert that is used for web??
The hostname (CN) in the certificate is not used by FreeRADIUS for IP lookup for any reason... the DNS entry need not even exist, but you do need to provably own a domain.
I see a lot of info on internet for use self-signed cert, but I can’t find info on documentations or on my Ubuntu install when use real certs. (Is very possible I don’t find)
Using a CA cert is about the same as using a self-signed certificate. The only major difference on the server side is you have to include any intermediate certificates concatenated onto the end of the cert file you tell FreeRADIUS to use, in order starting with your server cert and then working towards the root, until you have sent all certificates that all your client OSes do not already have pre-installed. You should not include the CA Root, it will do no good to. On the client side, you should be aware that any supplicant (client) that is not configured to specifically trust only the CN in your certificate and only the CA root which it was issued from may be vulnerable to hijack, which can reveal AD credentials (and if the CA itself gets compromised or is not trustworthy, this could also compromise your security of course.) It is for this reason that many prefer EAP-TLS to EAP-PEAP-MSCHAPv2 or prefer to use and distribute their own self-signed or in-house PKI certificates to clients. Not all OSes allow you to put these restrictions in place. In particular Android is not very safe. Some OSes (Apple) perform an automatic pinning of the certificate on the first connect, so they are usually only vulnerable to hijack on the first connect, or if your users will ignore security warnings.
On 01/02/2017 13:03, Brian Julin wrote:
Just a regular web certificate will work except for very old windows clients where a special attribute is needed... it is sometimes hard to get CAs to issue this attribute.
See:http://lists.freeradius.org/pipermail/freeradius-users/2006-October/013613.h...
"Microsoft specifies that certificates must have the "Enhanced Key Usage" attribute with the value "Server Authentication" (OID 1.3.6.1.5.5.7.3.1)" A free LetsEncrypt certificate has it - see below. I had no problems using this certificate with Windows 7 or Windows 10, nor OSX, although the three-month lifetime means frequent renewals. The problem is if you ever let Linux or Android users near your network, they will only connect in an insecure way, at least with EAP-PEAP/MSCHAP. I did wonder about making FreeRADIUS keep track of the client MAC addresses it's seen. The first time it sees a new MAC address, it *intentionally* returns a bad certificate, and if authentication completes successfully, it puts the user into a different VLAN so they can be isolated. However if the client aborts the authentication exchange a couple of times, the server marks the MAC address as good and then starts using the correct certificate, and returns the correct VLAN. It would be an interesting project, but I don't have time to implement it :-) Regards, Brian. # cd /etc/letsencrypt/live/<snip>.com # openssl x509 -in cert.pem -noout -text ... X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Basic Constraints: critical CA:FALSE ... Authority Information Access: OCSP - URI:http://ocsp.int-x3.letsencrypt.org/ CA Issuers - URI:http://cert.int-x3.letsencrypt.org/ ... X509v3 Certificate Policies: Policy: 2.23.140.1.2.1 Policy: 1.3.6.1.4.1.44947.1.1.1 CPS: http://cps.letsencrypt.org User Notice: Explicit Text: This Certificate may only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at https://letsencrypt.org/repository/
The problem is if you ever let Linux or Android users near your network, they will only connect in an insecure way, at least with EAP-PEAP/MSCHAP.
Linux can be properly configured. Well, depending on the UI used. Android may get there in a few years, but hid the necessary tools from the user and ignored the bug report asking for it for a decade, then closed it unresolved.
I did wonder about making FreeRADIUS keep track of the client MAC addresses it's seen. The first time it sees a new MAC address, it *intentionally* returns a bad certificate, and if authentication completes successfully, it puts the user into a different VLAN so they can be isolated. However if the client aborts the authentication exchange a couple of times, the server marks the MAC address as good and then starts using the correct certificate, and returns the correct VLAN.
It would be an interesting project, but I don't have time to implement it :-)
I did play with that a bit... not the first-time-seen part but just randomly sending out a bad cert. It confused clients horribly. I'd think you'd want to serve the correct certificate first, so Apples pin it, then after a successful auth or two test them for compliance. https://github.com/skids/freeradius-server/commits/clientverify would get you part way there if you decide to go adventuring.
On 01/02/2017 17:01, Brian Julin wrote:
Linux can be properly configured. Well, depending on the UI used. Thanks. I had looked for this before in wpa_supplicant.conf but couldn't find it. Looking a bit harder now, I find the "subject_match", "domain_match" and similar options.
https://w1.fi/cgit/hostap/tree/wpa_supplicant/wpa_supplicant.conf And it works in eapol_test as well, cool! Regards, Brian.
On 01/02/2017 17:01, Brian Julin wrote:
I did play with that a bit... not the first-time-seen part but just randomly sending out a bad cert. It confused clients horribly. I'd think you'd want to serve the correct certificate first, so Apples pin it, then after a successful auth or two test them for compliance.
https://github.com/skids/freeradius-server/commits/clientverify would get you part way there if you decide to go adventuring.
Very nice. Thank you!
Hello,
The problem is if you ever let Linux or Android users near your network, they will only connect in an insecure way, at least with EAP-PEAP/MSCHAP.
Linux can be properly configured. Well, depending on the UI used. Android may get there in a few years, but hid the necessary tools from the user and ignored the bug report asking for it for a decade, then closed it unresolved.
Since Android 4.3 the API allows one to pin all security parameters including server name. We make use of that in eduroam with the eduroam CAT app and config files which bring all the needed security settings. It is limited to one root CA though. Since Android 7.0 the API allows multiple trusted root CAs which helps with cert rollover scenarios. Since Android 7.1 the UI exposes the server name field as well (but calling it "Domain" of all things). Manual configuration in a secure way is now possible but still incredibly clumsy compared to .mobileconfig files on iOS for example. That's why we keep our eduroam CAT Android app around :-) But then, who has 7.1 anyway :-)
I did wonder about making FreeRADIUS keep track of the client MAC addresses it's seen. The first time it sees a new MAC address, it *intentionally* returns a bad certificate, and if authentication completes successfully, it puts the user into a different VLAN so they can be isolated. However if the client aborts the authentication exchange a couple of times, the server marks the MAC address as good and then starts using the correct certificate, and returns the correct VLAN.
It would be an interesting project, but I don't have time to implement it :-)
I did play with that a bit... not the first-time-seen part but just randomly sending out a bad cert. It confused clients horribly. I'd think you'd want to serve the correct certificate first, so Apples pin it, then after a successful auth or two test them for compliance.
Trouble is that you are fooling around with your users in first use. If things go sideways on first try (and you make sure it does) then with an impatient user there is no second try, and you lose the customer. Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 2, avenue de l'Université L-4365 Esch-sur-Alzette Tel: +352 424409 1 Fax: +352 422473 PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
On 02/02/2017 08:08, Stefan Winter wrote:
Since Android 4.3 the API allows one to pin all security parameters including server name. We make use of that in eduroam with the eduroam CAT app and config files which bring all the needed security settings. It is limited to one root CA though.
I have an Android 5.1 phone (Moto G gen1). I tried the CAT app but it just crashed at the point of installing the profile. I am happy to take this issue up offline with you if you like. It's possible there's a bug in the XML profile I tweaked - but I'd still hope the app wouldn't crash! Also, its terms require prior written permission for non-educational use. Are there any alternative apps which can use this API?
Hi,
Since Android 4.3 the API allows one to pin all security parameters including server name. We make use of that in eduroam with the eduroam CAT app and config files which bring all the needed security settings. It is limited to one root CA though.
I have an Android 5.1 phone (Moto G gen1). I tried the CAT app but it just crashed at the point of installing the profile. I am happy to take this issue up offline with you if you like. It's possible there's a bug in the XML profile I tweaked - but I'd still hope the app wouldn't crash!
Also, its terms require prior written permission for non-educational use.
Are there any alternative apps which can use this API?
Well, the app hard-codes "eduroam" as SSID, so if you want to use it outside of eduroam you'll have problems anyway. We are in the process of changing the config format to include SSID and to update the app so it becomes more flexible. Don't hold your breath though. And for eduroam, the XML is generated by the website at https://cat.eduroam.org so no tweaking needed / expected. Curious about our terms - we're licensing Apache 2. That's fairly common. I didn't think this creates issues anywhere? If you send me your tweaked XML I can try to reproduce if you still care. As for other apps... no idea. I think we were among the very early users of this API, but maybe others are following on the same path. Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 2, avenue de l'Université L-4365 Esch-sur-Alzette Tel: +352 424409 1 Fax: +352 422473 PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
participants (6)
-
Alan Buxey -
Brian Candler -
Brian Julin -
Spider s -
Stefan Winter -
Timo Buhrmester