Hi, I am currently testing FreeRadius 3.0.12 (debian package). When I'm using the certificates declared in mods-enabled/eap on a TLS client, I get an Access-Accept! This is not dramatic, because these certificates should not be disclosed under any circumstances, but I would still like to know if it's a normal behavior and how to prevent it? Thanks.
On Feb 2, 2018, at 4:55 AM, wouldsmina <wouldsmina@gmail.com> wrote:
I am currently testing FreeRadius 3.0.12 (debian package). When I'm using the certificates declared in mods-enabled/eap on a TLS client, I get an Access-Accept! This is not dramatic, because these certificates should not be disclosed under any circumstances, but I would still like to know if it's a normal behavior and how to prevent it?
The server creates test certificates. For... testing. Such as with EAP-TLS. If you install the test certs on a client, they will work. You were the one who disclosed them to the client. If you don't want to use the test certificates, then delete them. Alan DeKok.
Certificates (certificate_file, private_key_file, and ca_file) are needed to establish the EAP tunnel (with peap or ttls). I corrected my problem by removing the tls {} section into mods_enables/eap file... No tls, no problem (for me) :) Thanks for your help 2018-02-02 13:13 GMT+01:00 Alan DeKok <aland@deployingradius.com>:
On Feb 2, 2018, at 4:55 AM, wouldsmina <wouldsmina@gmail.com> wrote:
I am currently testing FreeRadius 3.0.12 (debian package). When I'm using the certificates declared in mods-enabled/eap on a TLS client, I get an Access-Accept! This is not dramatic, because these certificates should
not
be disclosed under any circumstances, but I would still like to know if it's a normal behavior and how to prevent it?
The server creates test certificates. For... testing. Such as with EAP-TLS.
If you install the test certs on a client, they will work. You were the one who disclosed them to the client.
If you don't want to use the test certificates, then delete them.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
On Feb 2, 2018, at 7:46 AM, wouldsmina <wouldsmina@gmail.com> wrote:
Certificates (certificate_file, private_key_file, and ca_file) are needed to establish the EAP tunnel (with peap or ttls).
Yes... that *is* how it works.
I corrected my problem by removing the tls {} section into mods_enables/eap file... No tls, no problem (for me) :)
Well, maybe. If you don't want to use EAP-TLS, then you shouldn't issue client certificates. And please DO NOT use the "sample" certificates in a production environment. They're only for testing. Alan DeKok.
I want to use client certificates, so I must only authenticate on EAP-TLS? -----Original Message----- From: Freeradius-Users [mailto:freeradius-users-bounces+m_zouhairy=skno.by@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Friday, February 2, 2018 3:48 PM To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: TLS client and server certificates On Feb 2, 2018, at 7:46 AM, wouldsmina <wouldsmina@gmail.com> wrote:
Certificates (certificate_file, private_key_file, and ca_file) are needed to establish the EAP tunnel (with peap or ttls).
Yes... that *is* how it works.
I corrected my problem by removing the tls {} section into mods_enables/eap file... No tls, no problem (for me) :)
Well, maybe.
If you don't want to use EAP-TLS, then you shouldn't issue client certificates.
And please DO NOT use the "sample" certificates in a production environment. They're only for testing.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
If you don't want to use EAP-TLS, then you shouldn't issue client certificates.
ah! so I'm on the wrong track...
And please DO NOT use the "sample" certificates in a production environment. They're only for testing.
I'm on a test environment but I use my own certificates ;) the client must verify the authenticity of the server but must not be able to authenticate (with private/public keys). I will continue my test (and search) to find the "right solution". Thank you 2018-02-02 13:53 GMT+01:00 Vacheslav <m_zouhairy@skno.by>:
I want to use client certificates, so I must only authenticate on EAP-TLS?
-----Original Message----- From: Freeradius-Users [mailto:freeradius-users-bounces+m_zouhairy= skno.by@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Friday, February 2, 2018 3:48 PM To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: TLS client and server certificates
On Feb 2, 2018, at 7:46 AM, wouldsmina <wouldsmina@gmail.com> wrote:
Certificates (certificate_file, private_key_file, and ca_file) are needed to establish the EAP tunnel (with peap or ttls).
Yes... that *is* how it works.
I corrected my problem by removing the tls {} section into mods_enables/eap file... No tls, no problem (for me) :)
Well, maybe.
If you don't want to use EAP-TLS, then you shouldn't issue client certificates.
And please DO NOT use the "sample" certificates in a production environment. They're only for testing.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
participants (3)
-
Alan DeKok -
Vacheslav -
wouldsmina