RES: Re: PEAP/EAP-TLS with client and server certificate
I?m trying to configure freeradius with PEAP + EAP-TLS, but I?m making some confusion to configure the radiusd.conf (sections authorize and authentication) and eap.conf.
Have someone implemented this configuration?
Yes. Many people.
In the eap.conf file the default eap type is TLS or PEAP?
If you're doing PEAP, then it should be peap.
What I?ve to configure in the authorize and authentication sections?
For basic peap, not much. Just configure "eap.conf".
OK. But I´m trying to use peap to make an encrypted tunnel validating the server certificate and then I want to authenticate the clients whith EAP-TLS using client/server certificate. The TLS tunnel is working fine, but the second part of EAP-TLS authentication not. So .... in the peap section in the eap.conf, what I´ve to configure for default eap type? Is tls ? If I configure tls, I´ve to create a tls section in the peap section or the tls section of the eap.conf is enough. I´ve attached my eap.conf file. Thank´s !! eap.conf eap { default_eap_type = peap timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no # Supported EAP-types # EAP-TLS tls { private_key_password = xxxxxxxxxxxxxxxxx private_key_file = ${raddbdir}/certs/freeradius_key.pem certificate_file = ${raddbdir}/certs/freeradius_cert.pem CA_file = ${raddbdir}/certs/demoCA/cacert.pem dh_file = ${raddbdir}/certs/dh random_file = ${raddbdir}/certs/random fragment_size = 1024 include_length = yes } peap { default_eap_type = tls } #tls { #private_key_password = xxxxxxxxxxxxxxxxxxxxx #private_key_file = ${raddbdir}/certs/freeradius_key.pem #certificate_file = ${raddbdir}/certs/freeradius_cert.pem #CA_file = ${raddbdir}/certs/demoCA/cacert.pem #dh_file = ${raddbdir}/certs/dh #random_file = ${raddbdir}/certs/random #fragment_size = 1024 #include_length = yes #} #mschapv2 { #} }
*FreeRADIUS Version 1.0.1*
Why not run 1.1.6, which has many more bug fixes and features?
Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
"Mensagem protegida por sigilo profissional. Sua utilização indevida sujeita o infrator às penas da lei. Não sendo seu destinatário, por favor, elimine-a e informe o equívoco ao emitente." "This e-mail message and any attachment are intended exclusively for the named addressee. They may contain confidential information which may also be protected by professional secrecy. Unless you are the named addressee (or authorised to receive for the addressee) you may not copy or use this message or any attachment or disclose the contents to anyone else. If this e-mail was sent to you by mistake please notify the sender immediately and delete this e-mail."
Marcelo Augusto Rodrigues Pimentel wrote:
OK. But I´m trying to use peap to make an encrypted tunnel validating the server certificate and then I want to authenticate the clients whith EAP-TLS using client/server certificate. The TLS tunnel is working fine, but the second part of EAP-TLS authentication not.
What second part of EAP-TLS? The server supports authenticating via client certificates, and nothing else.
So .... in the peap section in the eap.conf, what I´ve to configure for default eap type? Is tls ?
No. You can leave it alone. It's fine.
If I configure tls, I´ve to create a tls section in the peap section or the tls section of the eap.conf is enough. I´ve attached my eap.conf file.
If you want to use just TLS, you don't need the PEAP section. If you want to use PEAP, you need the TLS section. The comments in the "eap.conf" file explain this. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
participants (2)
-
Alan DeKok -
Marcelo Augusto Rodrigues Pimentel