Sending CA certificate during EAP-TLS
Hi all, Is there any way to configure free radius + eap-tls module to avoid to send CA certificate during EAP-TLS negotiation? As Free Radius is sending it right now EAP-TLS packets get fragmented and I would like to avoid it. Thanks in advance.
Hi, in the file referenced by the option variable "certificate_file" in the tls section only put the server certificate (and optionally the private key) of your RADIUS server. i.e. don't put ca certificates of the chain into that file. I don't know how to prevent the client from sending CA path certificates.... Rafa Marin wrote:
Hi all,
Is there any way to configure free radius + eap-tls module to avoid to send CA certificate during EAP-TLS negotiation? As Free Radius is sending it right now EAP-TLS packets get fragmented and I would like to avoid it.
-- Beste Gruesse / Kind Regards Reimer Karlsen-Masur DFN-PKI FAQ: https://www.pki.dfn.de/faqpki -- Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615 DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555 Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737
Slightly off-topic. Is anyone aware of a DHCP server with radius support. Or even just with exec support? I 'd like to setup a DHPC that will ask a radius server for IP instead of assigning it itself -- Kostas Kalevras - Network Operations Center National Technical University of Athens http://kkalev.wordpress.com
Kostas Kalevras wrote:
Slightly off-topic. Is anyone aware of a DHCP server with radius support. Or even just with exec support? I 'd like to setup a DHPC that will ask a radius server for IP instead of assigning it itself
Nope. I spent a while looking at adding RADIUS support to the ISC server last year. It turned out it was just too difficult. Alan DeKok.
How about DHCP with LDAP ?
Kostas Kalevras wrote:
Slightly off-topic. Is anyone aware of a DHCP server with radius support. Or even just with exec support? I 'd like to setup a DHPC that will ask a radius server for IP instead of assigning it itself
Nope. I spent a while looking at adding RADIUS support to the ISC server last year. It turned out it was just too difficult.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi Karlsen, 2007/6/20, Reimer Karlsen-Masur, DFN-CERT <karlsen-masur@dfn-cert.de>:
Hi,
in the file referenced by the option variable "certificate_file" in the tls section only put the server certificate (and optionally the private key) of your RADIUS server.
I think this might work (after some tests i did). But my immediate question is how the server is supposed to verify client certificate if we don't configure any CA certificate?. i.e. don't put ca certificates of the chain into that file.
I don't know how to prevent the client from sending CA path certificates....
Rafa Marin wrote:
Hi all,
Is there any way to configure free radius + eap-tls module to avoid to send CA certificate during EAP-TLS negotiation? As Free Radius is sending it right now EAP-TLS packets get fragmented and I would like to avoid it.
-- Beste Gruesse / Kind Regards
Reimer Karlsen-Masur
DFN-PKI FAQ: https://www.pki.dfn.de/faqpki -- Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615 DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555 Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Rafa Marin wrote:
Hi Karlsen,
2007/6/20, Reimer Karlsen-Masur, DFN-CERT <karlsen-masur@dfn-cert.de <mailto:karlsen-masur@dfn-cert.de>>:
Hi,
in the file referenced by the option variable "certificate_file" in the tls section only put the server certificate (and optionally the private key) of your RADIUS server.
I think this might work (after some tests i did). But my immediate question is how the server is supposed to verify client certificate if we don't configure any CA certificate?.
Argh, your misunderstanding is because of the inline documentation/default setup of the eap config file. *Trusted* CAs for client auth are stored in CA_file or CA_path So there is no conflict here with certificate_file option. And IMO usually CA_file and certificate_file should *not* contain the same CA certs because I guess in the majority of cases the RADIUS server cert is issued by some (commercial) server CA where as the client certs are mostly issued by some home grown user CA. Saying that there might be cases where the CA certificates from CA_file are indeed the CA chain certs of the RADIUS server certificate..... -- Beste Gruesse / Kind Regards Reimer Karlsen-Masur DFN-PKI FAQ: https://www.pki.dfn.de/faqpki -- Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615 DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555 Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737
Reimer Karlsen-Masur, DFN-CERT escribió: Hi Karlsen, thanks for the answer, please see inline...
Argh, your misunderstanding is because of the inline documentation/default setup of the eap config file.
*Trusted* CAs for client auth are stored in
CA_file
or
CA_path
So there is no conflict here with certificate_file option.
And IMO usually CA_file and certificate_file should *not* contain the same CA certs
Well in my current configuration I have the RADIUS server certificate in certificate_file and CA certificate in CA_file. But with that configuration , the radius server is still sending the CA certificate. Having said that , your proposal was to not include the CA certificate in the RADIUS server certificate (in certificate_file variable) My RADIUS server certificate does not have the CA certificate included. Even so, the RADIUS server is including the CA certificate :(... any alternative solution?.
because I guess in the majority of cases the RADIUS server cert is issued by some (commercial) server CA where as the client certs are mostly issued by some home grown user CA.
Saying that there might be cases where the CA certificates from CA_file are indeed the CA chain certs of the RADIUS server certificate.....
------------------------------------------------------------------------
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi, Rafa Marín López wrote:
Reimer Karlsen-Masur, DFN-CERT escribió:
Hi Karlsen,
thanks for the answer, please see inline...
Argh, your misunderstanding is because of the inline documentation/default setup of the eap config file.
*Trusted* CAs for client auth are stored in
CA_file
or
CA_path
So there is no conflict here with certificate_file option.
And IMO usually CA_file and certificate_file should *not* contain the same CA certs Well in my current configuration I have the RADIUS server certificate in certificate_file and CA certificate in CA_file.
But with that configuration , the radius server is still sending the CA certificate.
Having said that , your proposal was to not include the CA certificate in the RADIUS server certificate (in certificate_file variable)
My RADIUS server certificate does not have the CA certificate included. Even so, the RADIUS server is including the CA certificate :(...
any alternative solution?.
No. If the configuration is as minimal as suggested (no chain certificates in certificate_file) and FreeRadius is still sending the complete server CA chain build, this must be some FreeRadius magic.... How do you check if FreeRadius is actually sending the chain? -- Beste Gruesse / Kind Regards Reimer Karlsen-Masur DFN-PKI FAQ: https://www.pki.dfn.de/faqpki -- Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615 DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555 Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737
participants (6)
-
Alan DeKok -
Edvin Seferovic -
Kostas Kalevras -
Rafa Marin -
Rafa Marín López -
Reimer Karlsen-Masur, DFN-CERT