FreeRADIUS with 2 certs/CAs etc
hi, in the UK I deal with various questions regarding FreeRADIUS configuration and abilities - occasionally a question pops up that I'm very unfamilar with or havent got a direct clue to answer.. today one of those reemerged and as this might affect anyone at any point I was looking for best practice or a methodology. Say you have a nice FR setup...all is going well and everything is fine but then you have an issue with the certificate - eg its going to expire , or its been revoked...then you are going to have to have a new certificate for your FR server - but your clients will have the old certificate and CA - and your new clients will have the new cert and CA..and you might not be able to sort out all your clients for some time - hopefully before the final day of cert validity! anyway, in summary, your RADIUS server has to answer to the old clients and the new clients. What is the best practice way or configuration to ensure that your RADIUS server can be both people...old servercert+old_CA and new servertcert+new_CA so that it can deal with both types of clients. I'm thinking 2 virtual servers....one with old eap.conf and the other with neweap.conf with each virtual server ready to deal with each type of client - but then how to direct the incoming EAP to the right way. I cant see the normal fall-through group working --because the client has to create the EAP tunnel... or would a normal fallthrough system work... we send it to eap1 and if it fails send it to eap2 (which should be okay if client config okay!) ? I can envisage fronting it with a.n.other RADIUS solution which will proxy the request through a remote server list UNTIL it doesnt get a REJECT back.. but i dont want additional software in the mix thanks alan
Alan Buxey wrote:
anyway, in summary, your RADIUS server has to answer to the old clients and the new clients. What is the best practice way or configuration to ensure that your RADIUS server can be both people...old servercert+old_CA and new servertcert+new_CA so that it can deal with both types of clients.
Stick your fingers in your ears and go "la la la la la". It's a big problem with certificates and PKI. The best solution is: 1) CA cert, 4K bit key, many many years of validity 2) server cert, 2K bit key, a smaller validity period 3) give the CA cert to clients, and not the server cert 4) LONG before the CA expires, hand them a new CA that is still valid. 5) when everyone has the new CA, switch to using it. 6) anyone still using the old CA is screwed. Tough.
I'm thinking 2 virtual servers....one with old eap.conf and the other with neweap.conf with each virtual server ready to deal with each type of client - but then how to direct the incoming EAP to the right way.
You can't. The SSL session setup is invisible to EAP. Even if it wasn't, the SSL session setup depends on the certs... and you can't switch certs once you've set up a session based on them. Alan DeKok.
Hi Alan, First, I don't profess to be an eap expert and what follows is based upon my understanding of how eap and RADIUS work.. I'm also interested to see if anyone else has any other thoughts..
anyway, in summary, your RADIUS server has to answer to the old clients and the new clients. What is the best practice way or configuration to ensure that your RADIUS server can be both people...old servercert+old_CA and new servertcert+new_CA so that it can deal with both types of clients.
I'm not sure if this is best practice and it certainly doesn't apply to all environments, but we control WiFi settings on our laptops using A/D group policy. This way, we can quickly push out changes and/or new certificates. Then, if the RADIUS server certificate changes, it requires that the user logon via wired network to get policy updates before they can connect to our WiFi network. As far as dual certificates, we do that, but for a different reason. I use one virtual server and some unlang to direct the request at a specific eap instance (I have 2 instances). I use one eap instance for internal WiFi networks (i.e., Corporate machines connecting to our internal network) and present an internally signed cert. I have another eap instance for guest users which presents a publicly signed cert (to avoid the cumbersome process of distributing our internal CA's cert to the guests and teaching them how to install it on their system). I determine which eap instance to call based upon the SSID to which they are connecting (which is in a request attribute). So, it is possible to accomplish this with one server. However, unless you have a way to distinguish between machines that have received the new cert and machines that haven't, I can't think of a way for you to accomplish what you want. If it's WiFi authentication, perhaps you could create a new SSID and have machines with the new cert connect to the new SSID (not difficult if you're changing which SSID is automatic and what cert. is acceptable through an automated method, e.g. A/D group policy). The problem you have is that it's not FR that is causing the rejection. Rather, the client is rejecting the RADIUS server's certificate which causes the eap tunnel creation to fail. You can't force the client to try again in this case and even if you could, how would you know that the 2nd try should go to a different eap instance (it's a new request and you can't make decisions based upon the results of historical requests that I know of).
I'm thinking 2 virtual servers....one with old eap.conf and the other with neweap.conf with each virtual server ready to deal with each type of > client - but then how to direct the incoming EAP to the right way.
One or 2 virtual servers could work. Your last question is the issue - you need a way to determine whether the client connecting has the new cert. because if you present the wrong one, the SSL connection will fail. Once the tunnel creation fails, the client would need to send a new request in order to try again.
I cant see the normal fall-through group working --because the client has to create the EAP tunnel... or would a normal fallthrough system work... we send it to eap1 and if it fails send it to eap2 (which should be okay if client config okay!) ?
I don't think so because the client is causing the tunnel creation to fail because the certificate wasn't acceptable. If this were possible, then someone could create an SSID that matches yours and keep trying various certificates until it found one you liked. The purpose of the server certificate validation is to reduce the probability that someone can spoof your infrastructure (which is why using internal certs is better because someone on the outside, in theory, couldn't digitally sign a cert. from your internal CA, but they could easily get a cert. from Verisign).
I can envisage fronting it with a.n.other RADIUS solution which will proxy the request through a remote server list UNTIL it doesnt get a REJECT back.. but i dont want additional software in the mix
I don't think this will help for the reasons I described above..
Hi, ah..if all our systems were under full control and were Windows boxes life would be easier - but so much duller :-) we have a mixture of clients and a mixture of centrally managed and personal systems.... I can certainly see that using a seperate SSID would be a way of doing it.. but not helpful for remote access when only 1 SSID is available.
I don't think so because the client is causing the tunnel creation to fail because the certificate wasn't acceptable. If this were possible, then someone could create an SSID that matches yours and keep trying various certificates until it found one you liked. The purpose of the server certificate validation is to reduce the probability that someone can spoof your infrastructure (which is why using internal certs is better because someone on the outside, in theory, couldn't digitally sign a cert. from your internal CA, but they could easily get a cert. from Verisign).
oh certainly and for sure - we recommend a closed-loop system, self-signed.. and we also recommend that the server cert is checked (ensure that the client checks the server!) without these two things, the EAP method can be compromised. however, being secure and using EAP and PKI does mean having to be ready for particular eventualities... a server cert expiration is easy..just resign with CA... but a CA expiry..hmm. as Alan Dekok said...deploy a new CA in advanced and then sign server with that new CA and put cert into place. remember....when such event happens it could be rather immediate...eg noones keeping eye on certs. tuesday morning cert expires...client offline..everyone panics etc. plan needs to be ready for such a time alan
as Alan Dekok said...deploy a new CA in advanced and then sign server with that new CA and put cert into place.
I read Alan's reply and it's logical (as usual ;-) ). Perhaps it wasn't stated because it was intuitively obvious, but the only thing I would add is that when the new CA cert is deployed to the clients, their wireless config should also be changed to accept both the new and old CA. This way, when you eventually switch FR to the cert signed by the new CA, it will be accepted.
Hi, Alan Buxey <A.L.M.Buxey@lboro.ac.uk> wrote:
Say you have a nice FR setup...all is going well and everything is fine but then you have an issue with the certificate - eg its going to expire , or its been revoked...then you are going to have to have a new certificate for your FR server - but your clients will have the old certificate and CA - and your new clients will have the new cert and CA..and you might not be able to sort out all your clients for some time - hopefully before the final day of cert validity!
So my rant to the JANET certificate service reached your desk eh? :-/ So others have a clear view of the situation, most of Europe's academic world can get free SSL signed certificates with the clause they cannot be used for financial transactions. Great, everyone with 802.1X deployed nabbed them up....as did a lot of web monkeys. In the web monkey world no one cares what Root CA is used to sign the server certificate...in the 802.1X world you hard code what the Root CA is meant to be and also the subject line; unless you are keen to have Bad People(tm) nick all your users credentials with an Evil Twin(tm) access point attack. :) This I'm pretty sure you are familar with. Now, usually for Root CA changing your timetable for migration is at least a year in advance of the expiry date of the existing one. During this year the new clients you prime will accept the Root CA to be one of two (your existing Root CA and the one you are planning to move to). The following year you remove the old one. This seems to work well for us as every year it's a new batch of students coming through and all the existing ones have managed to persuade their parents that unless they get a new computer every year they will fail their degrees. :) Imagine you are now told, you know those freebie cert's you and everyone else are using with the expiry date that is 18 months away...it's being revoked in April for no technical reason...[snipped politics]. Now the constraints, off the top of my head, probably more: * we do not control or administer the workstations that connect to our network (they are not part of an AD domain and centrally managed); we deal with student's and staff's personal kit * emails to users asking them to download new software is obviously not a great idea, plus even if you get the wording right only about 30% will probably make the amendment * 'death' occurs in April, the new term has started and the new batch of students/lapdogs are already online * when there is a subject mismatch error, the client simply does nothing but grumble there was an issue; unless you got a Mac then you just blindly click "I want the rope to be this long..." In short I cannot see a workaround... The longer story...there is a vaguely possible way that has a chance of working if the planets are correctly aligned but it is so horrible[1] I would never recommend or deploy it; as the 'exit strategy' is messy. Anyone who figures it out, and is crazy enough to deploy it on their network...thumbs up to you you crazy animal...but I plead, do not unleash the horrors unto the world or advertise it's existence. It's like a nuclear bomb, great when you have it...but really would you trust *everyone* else with it? ;) Cheers [1] besides it would only immunise around 50% of the UK federation; the portion that is using FreeRADIUS, Radiator probably could be kludged too though -- Alexander Clouter .sigmonster says: List was current at time of printing.
participants (4)
-
Alan Buxey -
Alan DeKok -
Alexander Clouter -
Garber, Neal