certificates for TLS Tunnel (peap mschap v2 authentication)
hi ! I'd like to set up an authentication system (for wireless clients) based on freeradius. I'm using a DC windows 2003 with Active Directory to manage my users and groups... i know ... its baaaad :-) but i don't have the choice ! I have built a linux server (fedora core 5), with freeradius, a kerberos client, samba and winbind to reach my domain. No problems so far. I'd like to authenticate my supplicants with PEAP-MSCHAP v2 and so i must set up a PKI for the TLS tunnel. My problem is here. I don't know how to use certificates in the freeradius directory: root.pem, root.p12, root.der cert-clt.pem, cert-clt.p12, cert-clt.der cert-srv.pem, cert-srv.p12, cert-srv.der any advice ... suggestions or anything else ??? Thanks ! Julien
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 julien blanc wrote:
My problem is here. I don't know how to use certificates in the freeradius directory: root.pem, root.p12, root.der cert-clt.pem, cert-clt.p12, cert-clt.der cert-srv.pem, cert-srv.p12, cert-srv.der
any advice ... suggestions or anything else ???
You can tell the WPA client not to validate the server certificate. If so, no certificate will be checked. If you want to check the server: 1- Add root.p12 to as a trusted certificate on all clients 2- Add root.p12 and cert-srv.p12 to the DC. use the mmc.exe, with the Certificate snap-in. You should be all set! - -- ============== +---------------------------------------------+ Martin Gadbois | "Please answer by yes or no. | Sr. SW Designer | Uncooperative user waste precious CPU time" | Colubris Networks Inc. | -- The Andromeda Strain, M. Crichton, 1969 | -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGlkYM9Y3/iTTCEDkRAiggAJ9xufiNk2vooTXOIYS/b3ewKGzp6wCggvlP AfbT5hvNp8oNjCFHQdgj/jg= =4Pj1 -----END PGP SIGNATURE-----
Thanks Martin i've just tried to make the changes that you have suggested and i have the following problem i don't know how to import .p12 files. In the mmc i have to give a pass for the private key and i don't know where i can find it ! (and if it's possible). do you think i can try with .der or .pem files ? thanks for your help ! Julien 2007/7/12, Martin Gadbois <martin.gadbois@colubris.com>:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
julien blanc wrote:
My problem is here. I don't know how to use certificates in the freeradius directory: root.pem, root.p12, root.der cert-clt.pem, cert-clt.p12, cert-clt.der cert-srv.pem, cert-srv.p12, cert-srv.der
any advice ... suggestions or anything else ???
You can tell the WPA client not to validate the server certificate. If so, no certificate will be checked. If you want to check the server: 1- Add root.p12 to as a trusted certificate on all clients 2- Add root.p12 and cert-srv.p12 to the DC.
use the mmc.exe, with the Certificate snap-in.
You should be all set!
- -- ============== +---------------------------------------------+ Martin Gadbois | "Please answer by yes or no. | Sr. SW Designer | Uncooperative user waste precious CPU time" | Colubris Networks Inc. | -- The Andromeda Strain, M. Crichton, 1969 | -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFGlkYM9Y3/iTTCEDkRAiggAJ9xufiNk2vooTXOIYS/b3ewKGzp6wCggvlP AfbT5hvNp8oNjCFHQdgj/jg= =4Pj1 -----END PGP SIGNATURE----- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 julien blanc wrote:
i don't know how to import .p12 files. In the mmc i have to give a pass for the private key and i don't know where i can find it ! (and if it's possible).
The password is the one you should've given when creating the .p12 file. OpenSSL contains utilities to convert from .pem/.der to .p12, with the password option. Seek help on "openssl p12".
do you think i can try with .der or .pem files ?
Those are OpenSSL's format, which Microsoft does not use. Ref: www.openssl.org I like OpenVPN's key management: http://openvpn.net/easyrsa.html - -- ============== +---------------------------------------------+ Martin Gadbois | "Please answer by yes or no. | Sr. SW Designer | Uncooperative user waste precious CPU time" | Colubris Networks Inc. | -- The Andromeda Strain, M. Crichton, 1969 | -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGnOLo9Y3/iTTCEDkRAo3EAJ4k+Erwf76jmkvJ3gZ+z7n/KKigYwCfeegV KU8I2eoV/LFGa0BB3oFwfN8= =YVvw -----END PGP SIGNATURE-----
Hi, julien blanc wrote:
hi !
I'd like to set up an authentication system (for wireless clients) based on freeradius.
I'm using a DC windows 2003 with Active Directory to manage my users and groups... i know ... its baaaad :-) but i don't have the choice !
I have built a linux server (fedora core 5), with freeradius, a kerberos client, samba and winbind to reach my domain. No problems so far.
I'd like to authenticate my supplicants with PEAP-MSCHAP v2 and so i must set up a PKI for the TLS tunnel.
well, you need a server certificate for your FreeRADIUS server.
My problem is here. I don't know how to use certificates in the freeradius directory:
This is some root-CA certificate and its secrete key:
root.pem, root.p12, root.der
This is a client cert signed by above root-CA certificate and its secrete key (you only need this when doing EAP-TLS):
cert-clt.pem, cert-clt.p12, cert-clt.der
This is a server cert signed by above root-CA certificate and its secrete key (you can use this cert as server certificate of FreeRADIUS):
cert-srv.pem, cert-srv.p12, cert-srv.der
The slides on <http://www.dfn.de/content/fileadmin/1Dienstleistungen/Roaming/DFNRoaming-Workshop-20070426-Handout.pdf> page 20ff might help. Googles language tools might be some help :-/
any advice ... suggestions or anything else ???
As for the passwords of the .p12 files or secret keys: you set them yourself if you did not leave them empty.... On the Windows supplicants you can import the root.pem file. *Check* that this file *does not* contain the private key. It's in ASCII format, so you can look into the file and will see, if it's just the cert or if there is an additional key in the file. If the latter is the case make a copy of that file and remove the key part. Rename the file to .cer or .crt and import the result into Windows supplicants by double clicking or MMCs certificate snap-in. Client certificates are *not* needed for PEAP ms-chapv2. HTH -- Beste Gruesse / Kind Regards Reimer Karlsen-Masur DFN-PKI FAQ: https://www.pki.dfn.de/faqpki -- Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615 DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555 Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737
participants (3)
-
julien blanc -
Martin Gadbois -
Reimer Karlsen-Masur, DFN-CERT