Freeradius and client certificate support
Hi all, I would like to configure an access point to accept client certificates only, with no usernames and passwords. As a understand, what I am looking for is EAP-TLS, and I have attempted to configure it against a mikrotik routerboard. I see the radius packet entering the server, with the User-Name set to the MAC address of the incoming client (mikrotik default behaviour). My next step is to suitably configure freeradius to accept the login based on the attributes within the client certificate, and to accept any User-Name, however I can find no documentation how to do this. Ideally, I would like the effective freeradius login name to be the DN of the client certificate. Does anyone know whether this is possible, and if so, what I need to tell freeradius to make this happen? I am using freeradius-1.1.3-1.5.el5_4 (on an RHEL5 system). Regards, Graham --
Graham Leggett wrote:
As a understand, what I am looking for is EAP-TLS, and I have attempted to configure it against a mikrotik routerboard. I see the radius packet entering the server, with the User-Name set to the MAC address of the incoming client (mikrotik default behaviour).
Then it's likely not doing EAP-TLS.
My next step is to suitably configure freeradius to accept the login based on the attributes within the client certificate, and to accept any User-Name, however I can find no documentation how to do this.
There is no documentation because you don't need to do anything. When EAP-TLS is used, then any User-Name is accepted.
Ideally, I would like the effective freeradius login name to be the DN of the client certificate.
Then use EAP-TLS. If the User-Name is the MAC, then you're not using EAP-TLS.
Does anyone know whether this is possible, and if so, what I need to tell freeradius to make this happen?
Tell the *NAS* to ask for EAP. Tell the *client PC* to use EAP-TLS. Alan DeKok.
On 30 Aug 2010, at 9:00 AM, Alan DeKok wrote:
As a understand, what I am looking for is EAP-TLS, and I have attempted to configure it against a mikrotik routerboard. I see the radius packet entering the server, with the User-Name set to the MAC address of the incoming client (mikrotik default behaviour).
Then it's likely not doing EAP-TLS.
Can you be more specific when you say "it's"? The routerboard in the middle is configured to do "passthrough" of eap to the radius server, and the radius server is configured to say the following: default_eap_type = tls The client (MacOSX) seems to have no idea that either the NAS or the radius server wants to use EAP-TLS, and pops up a window asking for both a certificate, and a username and password. Over and above the steps followed above, I am in the dark as to whether something else need to be done to make this work.
My next step is to suitably configure freeradius to accept the login based on the attributes within the client certificate, and to accept any User-Name, however I can find no documentation how to do this.
There is no documentation because you don't need to do anything. When EAP-TLS is used, then any User-Name is accepted.
It would be useful if that was documented :)
Ideally, I would like the effective freeradius login name to be the DN of the client certificate.
Then use EAP-TLS. If the User-Name is the MAC, then you're not using EAP-TLS.
The "Username as MAC" behaviour seems to be mikrotik behaviour, without documentation I have no clear picture as to how this affects the login.
Does anyone know whether this is possible, and if so, what I need to tell freeradius to make this happen?
Tell the *NAS* to ask for EAP. Tell the *client PC* to use EAP-TLS.
Ok, now I am confused. Am I correct in understanding that the client PC is not able to figure out for itself which type of EAP it should use, and that the end user has to manually set EAP-TLS for it work? The reason I ask is that my client PC gives a number of checkboxes as to the types of EAP it will support, which implies that it's the radius server that specifies the type of EAP accepted, but if you're telling me that I must manually set this on the client PC, it would imply this is not possible. Can you clarify for me if possible? Regards, Graham --
Graham Leggett wrote:
On 30 Aug 2010, at 9:00 AM, Alan DeKok wrote:
Then it's likely not doing EAP-TLS.
Can you be more specific when you say "it's"?
None of the pieces are doing EAP.
The routerboard in the middle is configured to do "passthrough" of eap to the radius server, and the radius server is configured to say the following:
default_eap_type = tls
That *allows* the server to do EAP. It doesn't make the PC do EAP.
The client (MacOSX) seems to have no idea that either the NAS or the radius server wants to use EAP-TLS, and pops up a window asking for both a certificate, and a username and password.
Exactly. So... configure the Mac system to do EAP. Configure the NAS to require EAP on the port. Neither of these issues are related to FreeRADIUS.
Over and above the steps followed above, I am in the dark as to whether something else need to be done to make this work.
See above.
There is no documentation because you don't need to do anything. When EAP-TLS is used, then any User-Name is accepted.
It would be useful if that was documented :)
That's how EAP-TLS *works*. This isn't a FreeRADIUS issue.
The "Username as MAC" behaviour seems to be mikrotik behaviour, without documentation I have no clear picture as to how this affects the login.
If the Mac system isn't doing EAP, then that would seem to affect the login process.
Am I correct in understanding that the client PC is not able to figure out for itself which type of EAP it should use, and that the end user has to manually set EAP-TLS for it work?
Yes. That's how EAP works.
The reason I ask is that my client PC gives a number of checkboxes as to the types of EAP it will support, which implies that it's the radius server that specifies the type of EAP accepted, but if you're telling me that I must manually set this on the client PC, it would imply this is not possible.
If you want to use EAP-TLS, there are certain things you *must* configure on the end system. It can't magically obtain a client certificate. You need to provide one. Alan DeKok.
On 30 Aug 2010, at 2:01 PM, Alan DeKok wrote:
If you want to use EAP-TLS, there are certain things you *must* configure on the end system. It can't magically obtain a client certificate. You need to provide one.
Let me start again. I have a client certificate on the client PC already. This client certificate is trusted by a CA certificate, which is set under the "CA_file" option in the tls section of the eap configuration in freeradius. I have a routerboard offering a wifi interface, and this routerboard offers me just one single radius option called "passthrough". I understand that this means that an attempt will be made for the client PC to pass the EAP through to the radius server. What I want to happen is that the client PC makes an attempt to connect to the wireless network, and based on the fact that a valid client certificate is present, connection is established automatically using EAP-TLS. Ideally I would like to lookup the DN of the certificate in a database of some kind and accept or deny the connection, but at this point I'm focusing just on the most basic capability at this point - EAP-TLS. What do I need to do to the freeradius server to make this possible? Do I need to switch off everything except for the tls section to stop freeradius trying to offer other EAP methods and confusing the client? Regards, Graham --
Graham Leggett wrote:
I have a client certificate on the client PC already. This client certificate is trusted by a CA certificate, which is set under the "CA_file" option in the tls section of the eap configuration in freeradius.
OK.
I have a routerboard offering a wifi interface, and this routerboard offers me just one single radius option called "passthrough". I understand that this means that an attempt will be made for the client PC to pass the EAP through to the radius server.
If you say so.
What I want to happen is that the client PC makes an attempt to connect to the wireless network, and based on the fact that a valid client certificate is present, connection is established automatically using EAP-TLS.
Which requires the client to be configured to do that.
Ideally I would like to lookup the DN of the certificate in a database of some kind and accept or deny the connection, but at this point I'm focusing just on the most basic capability at this point - EAP-TLS.
What do I need to do to the freeradius server to make this possible?
You've done it all.
Do I need to switch off everything except for the tls section to stop freeradius trying to offer other EAP methods and confusing the client?
No. For detailed instructions on EAP-TLS, see: http://freeradius.org/doc/ Alan DeKok.
On 30 Aug 2010, at 2:41 PM, Alan DeKok wrote:
Ideally I would like to lookup the DN of the certificate in a database of some kind and accept or deny the connection, but at this point I'm focusing just on the most basic capability at this point - EAP-TLS.
What do I need to do to the freeradius server to make this possible?
You've done it all.
The closest I've got is to use a MacOSX Snow Leopard machine, and manually specify EAP-TLS, and manually choose the certificate, but at that point I get this: Mon Aug 30 08:12:56 2010 : Error: TLS_accept:error in SSLv3 read client hello C Mon Aug 30 08:12:56 2010 : Error: rlm_eap: SSL error error: 140D9115:SSL routines:SSL_GET_PREV_SESSION:session id context uninitialized Mon Aug 30 08:12:56 2010 : Error: rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails. Mon Aug 30 08:12:56 2010 : Error: rlm_eap: SSL error error: 00000000:lib(0):func(0):reason(0) Mon Aug 30 08:12:56 2010 : Error: rlm_eap_tls: BIO_read failed in a system call (-1), TLS session fails. Mon Aug 30 08:12:56 2010 : Auth: Login incorrect: [snip-cn-of- certificate] (from client hotspot port 0 cli 34-15-9E-90-F7-5B) Do you know what a "session id context" is, and why one might be uninitialised?
For detailed instructions on EAP-TLS, see:
The only reference to EAP-TLS on the above page is under a section called "Older Documents". The first link is to a PDF file called EAPTLS.pdf, and these instructions tell you to go to "http://www.missl.cs.umd.edu/wireless/eaptls/ " for instructions on how to configure EAP-TLS in freeradius, and this URL no longer exists. The second link is entitled "Another eap-tls HOWTO", which again links to http://www.missl.cs.umd.edu/wireless/eaptls/, is broken as above. Is there any other mention of EAP-TLS in the documentation anywhere? Google wasn't able to find anything. Regards, Graham --
Graham Leggett wrote:
The closest I've got is to use a MacOSX Snow Leopard machine, and manually specify EAP-TLS, and manually choose the certificate, but at that point I get this:
Mon Aug 30 08:12:56 2010 : Error: TLS_accept:error in SSLv3 read client hello C Mon Aug 30 08:12:56 2010 : Error: rlm_eap: SSL error error:140D9115:SSL routines:SSL_GET_PREV_SESSION:session id context uninitialized
I don't recall seeing that error before.
Do you know what a "session id context" is, and why one might be uninitialised?
Nope.
For detailed instructions on EAP-TLS, see:
The only reference to EAP-TLS on the above page is under a section called "Older Documents". The first link is to a PDF file called EAPTLS.pdf, and these instructions tell you to go to "http://www.missl.cs.umd.edu/wireless/eaptls/" for instructions on how to configure EAP-TLS in freeradius, and this URL no longer exists.
Uh... the first "EAPTLS.pdf" *is* a link to the PDF file. It contains detailed instructions.
The second link is entitled "Another eap-tls HOWTO", which again links to http://www.missl.cs.umd.edu/wireless/eaptls/, is broken as above.
Is there any other mention of EAP-TLS in the documentation anywhere? Google wasn't able to find anything.
In 2.1.10, there is updated documentation and examples for running EAP-TLS using "eapol_test". Alan DeKok.
On 30 Aug 2010, at 3:34 PM, Alan DeKok wrote:
The closest I've got is to use a MacOSX Snow Leopard machine, and manually specify EAP-TLS, and manually choose the certificate, but at that point I get this:
Mon Aug 30 08:12:56 2010 : Error: TLS_accept:error in SSLv3 read client hello C Mon Aug 30 08:12:56 2010 : Error: rlm_eap: SSL error error: 140D9115:SSL routines:SSL_GET_PREV_SESSION:session id context uninitialized
I don't recall seeing that error before.
Do you know what a "session id context" is, and why one might be uninitialised?
Nope.
Should I log this as a bug in freeradius?
For detailed instructions on EAP-TLS, see:
The only reference to EAP-TLS on the above page is under a section called "Older Documents". The first link is to a PDF file called EAPTLS.pdf, and these instructions tell you to go to "http://www.missl.cs.umd.edu/wireless/eaptls/" for instructions on how to configure EAP-TLS in freeradius, and this URL no longer exists.
Uh... the first "EAPTLS.pdf" *is* a link to the PDF file. It contains detailed instructions.
Exactly, I've read the PDF file, the only instructions that make reference to freeradius are as follows: "3. OpenSSL and FreeRADIUS setup To configure these two components, please see http://www.missl.cs.umd.edu/wireless/eaptls/ . In order to work with XP, the FreeRADIUS version must be equal to or greater than the April 15, 2002 CVS version." As I pointed out, the link to http://www.missl.cs.umd.edu/wireless/eaptls/ is broken.
The second link is entitled "Another eap-tls HOWTO", which again links to http://www.missl.cs.umd.edu/wireless/eaptls/, is broken as above.
Is there any other mention of EAP-TLS in the documentation anywhere? Google wasn't able to find anything.
In 2.1.10, there is updated documentation and examples for running EAP-TLS using "eapol_test".
Does this have an URL? Regards, Graham --
Graham Leggett wrote:
Should I log this as a bug in freeradius?
Not really. It's an issue with SSL. There's little we can do to fix it.
Exactly, I've read the PDF file, the only instructions that make reference to freeradius are as follows:
"3. OpenSSL and FreeRADIUS setup To configure these two components, please see http://www.missl.cs.umd.edu/wireless/eaptls/. In order to work with XP, the FreeRADIUS version must be equal to or greater than the April 15, 2002 CVS version."
Well.. see raddb/certs/README. It contains instructions on EAP. See also http://deployingradius.com/. It contains detailed instructions on testing EAP, but not EAP-TLS.
In 2.1.10, there is updated documentation and examples for running EAP-TLS using "eapol_test".
Does this have an URL?
http://git.freeradius.org/ See the v2.1.x branch, file src/tests/eap-tls.conf. Alan DeKok.
participants (2)
-
Alan DeKok -
Graham Leggett