eap-tls with valid and fake certificates.
Hello ! The Idea is to authenticate users with eap-tls with certficates. People without any certificate should use different vlan provided by Radius. Only supported authentication should be eap-tls. Is it possible to make authentication with eap-tls with certficates for valid users and some "guest vlan" for users which hasnt any or unknown certificates ? I'tried many things like default authenticate , post-auth-type (with update control Auth-Type :=Accept). Allways i had reject or stuck with no network configuration. Radius should provide attributes for valid users: Tunnel-Type � = 13 Tunnel-Medium-Type = 6, Tunnel-Private-Group-ID = 2111 and Tunnel-Type � = 13 Tunnel-Medium-Type = 6, Tunnel-Private-Group-ID = 2211 for invalid users. How i do it ? thanks for help Marcin
On Fri, 2019-12-27 at 17:47 +0100, codythejack wrote:
Hello ! The Idea is to authenticate users with eap-tls with certficates. People without any certificate should use different vlan provided by Radius. Only supported authentication should be eap- tls. Is it possible to make authentication with eap-tls with certficates for valid users and some "guest vlan" for users which hasnt any or unknown certificates ?
It's not possible. If the device doesn't present a valid certificate, it won't authenticate. You can't force an "Accept" with EAP methods. You will need to use a different method to handle guest accounts. If you want to use EAP-TLS only you will have to issue certificates to everyone. -- Matthew
Hello,
Hello ! The Idea is to authenticate users with eap-tls with certficates. People without any certificate should use different vlan provided by Radius. Only supported authentication should be eap- tls. Is it possible to make authentication with eap-tls with certficates for valid users and some "guest vlan" for users which hasnt any or unknown certificates ?
It's not possible. If the device doesn't present a valid certificate, it won't authenticate. You can't force an "Accept" with EAP methods.
Really? Couldn't you branch the processing based on the outer ID? Let all your well-managed users present some special outer id and treat the rest differently. Like in radiusd.conf, you do if ( &User-Name == "my-fancy-outer-id@my-institution.org") { eap { ok = return } } else { [do other stuff] } In the users file, make sure the every bunch of users gets the correct reply items, i.e. Tunnel-Private-Group-ID etc. The "Other stuff" section could be ommitted, then default processing goes on. Or you could call an alternate eap config here you have prepared in the eap module configuration. This setup would seem a bit shaky, though: A mistake in the users file could easily bring the internal VLAN to your guests. But then, you could branch even earlier by proxying different outer IDs to different virtual servers, right? Only this time, the decision would be based on the realm part of the outer ID. Cheers, Martin -- Dr. Martin Pauly Phone: +49-6421-28-23527 HRZ Univ. Marburg Fax: +49-6421-28-26994 Hans-Meerwein-Str. E-Mail: pauly@HRZ.Uni-Marburg.DE D-35032 Marburg
On Fri, 2020-01-17 at 12:06 +0100, Martin Pauly wrote:
The Idea is to authenticate users with eap-tls with certficates. People without any certificate should use different vlan provided by Radius. Only supported authentication should be eap- tls. Is it possible to make authentication with eap-tls with certficates for valid users and some "guest vlan" for users which hasnt any or unknown certificates ?
It's not possible. If the device doesn't present a valid certificate, it won't authenticate. You can't force an "Accept" with EAP methods.
Really?
Yes, really, given the "only EAP-TLS" requirements above. Both "without a certificate should be in a different VLAN" and "guest VLAN for users without a certificate, or an unknown cert" are impossible. EAP-TLS *requires* a valid certificate to authenticate.
Couldn't you branch the processing based on the outer ID? Let all your well-managed users present some special outer id and treat the rest differently.
Don't trust the outer ID. Look at the certificate data after it's been validated, for example by using the check-eap-tls virtual server. -- Matthew
Am 17.01.20 um 12:27 schrieb Matthew Newton:
Yes, really, given the "only EAP-TLS" requirements above.
OK I got it. Behind one SSID, you can very well branch into different EAP configs (actually I think , the first time I saw this was 10+ years ago in a post by Matthew :-) ). But doing EAP-TLS does mean to exchange keys, no matter if someone validates the client cert. IMO, the OP confuses the cases "no client cert at all" vs. "client cert must present, but the is not validated". You commented on the latter case, I on the former. Thanks for clearing this up Martin -- Dr. Martin Pauly Phone: +49-6421-28-23527 HRZ Univ. Marburg Fax: +49-6421-28-26994 Hans-Meerwein-Str. E-Mail: pauly@HRZ.Uni-Marburg.DE D-35032 Marburg
On Jan 17, 2020, at 7:44 AM, Martin Pauly <pauly@hrz.uni-marburg.de> wrote:
OK I got it. Behind one SSID, you can very well branch into different EAP configs (actually I think , the first time I saw this was 10+ years ago in a post by Matthew :-) ).
Yes.
But doing EAP-TLS does mean to exchange keys, no matter if someone validates the client cert.
Doing EAP-TLS, TTLS, PEAP, even EAP-MSCHAPv2.
IMO, the OP confuses the cases "no client cert at all" vs. "client cert must present, but the is not validated". You commented on the latter case, I on the former.
It's all the same. If the NAS expects to see MS-MPPE keys, then the RADIUS server *must* send them. And, send the correct ones. Otherwise it won't work. Alan DEKok.
On Jan 17, 2020, at 6:06 AM, Martin Pauly <pauly@hrz.uni-marburg.de> wrote:
It's not possible. If the device doesn't present a valid certificate, it won't authenticate. You can't force an "Accept" with EAP methods.
Really? Couldn't you branch the processing based on the outer ID?
It's impossible. You *can* send back an Access-Accept. That Access-Accept can contain an EAP Success packet. But... you *can't* send back correctly formatted MS-MPPE keys. Those keys *must* match between the NAS / AP and the supplicant. If they don't match, the user can't get online. The *only* way to calculate those keys is to perform the full EAP transaction. Alan DeKok.
participants (4)
-
Alan DeKok -
codythejack -
Martin Pauly -
Matthew Newton