WildCard/Subject Alternative Names Cert Question
Hello. I have a FreeRADIUS setup using PEAP/MSCHAPv2 to authenticate wireless clients against an Active Directory environment. We've recently purchased a new wildcard certificate from DigiCert for our organization. The RADIUS server is not covered by the wildcard common name on the certificate, however I have a subject alternative name specifying the RADIUS server hostname on it as well. On my new cert, connection to the system fails when I try validating the new cert (I have all the possible cert authorities checked off.) If I uncheck validate the cert, I am then able to connect. As soon as I place the old cert back in place validation works fine. The old cert was a free signal name cert from IPS CA. The new cert is a wildcard duplicate issued from DigiCert that has the server name as a subject alternative name as it is not covered by the wild card common name we are using - I generated the CSR for this certificate copy using the tools in freeradius (XPExtensions and whatnot.) Should this kind of a cert work, or does 802.1x/PEAP/mschapv2 not support validating by subject alternative names. I tried including the CA Cert in a chain file and not including it and had the same results either way. I know the CA is trusted by Microsoft as this same wildcard cert works in our web applications. Tom Thomas E. Casartello, Jr. Staff Assistant - Wireless/Linux Administrator Information Technology Wilson 105A Westfield State University (413) 572-8245 Red Hat Certified Technician (RHCT) Cisco Certified Network Associate (CCNA)
On 04/15/2011 08:42 PM, Casartello, Thomas wrote:
whatnot.) Should this kind of a cert work, or does 802.1x/PEAP/mschapv2 not support validating by subject alternative names.
This isn't really a FreeRADIUS question; it's down to the supplicant to permit or deny the cert. Anyway... Section 3.2.7.1 of MS-WSH says: """ If the isValidateServerNameEnabled is set to TRUE, then verify that the subject name (Section 4.1.2.6 of [RFC5280]) or subject alternative name (section 4.2.1.6 of [RFC5280]) of the server certificate exists in ServerNames. """ i.e. it should honour subjectAltName. But Microsoft have a habit of ignoring their own standards, so if you're sure your certificate is good, then the only way to be sure is turn on client EAP tracing and dig in the logs to see why it's being refused.
When you say client EAP tracing do you mean on the Microsoft side, or is there something you can do on the freeradius side? When I lookup eap tracing I get information about generating Microsoft EAP host tracing files, but it's an in unreadable format (.etl) that only Microsoft can decode and I can't seem to find a way to make any sense of it. Do you mean some other kind of tracing? Thomas E. Casartello, Jr. Staff Assistant - Wireless/Linux Administrator Information Technology Wilson 105A Westfield State University -----Original Message----- From: freeradius-users-bounces+tcasartello=wsc.ma.edu@lists.freeradius.org [mailto:freeradius-users-bounces+tcasartello=wsc.ma.edu@lists.freeradius.org] On Behalf Of Phil Mayers Sent: Friday, April 15, 2011 4:14 PM To: freeradius-users@lists.freeradius.org Subject: Re: WildCard/Subject Alternative Names Cert Question On 04/15/2011 08:42 PM, Casartello, Thomas wrote:
whatnot.) Should this kind of a cert work, or does 802.1x/PEAP/mschapv2 not support validating by subject alternative names.
This isn't really a FreeRADIUS question; it's down to the supplicant to permit or deny the cert. Anyway... Section 3.2.7.1 of MS-WSH says: """ If the isValidateServerNameEnabled is set to TRUE, then verify that the subject name (Section 4.1.2.6 of [RFC5280]) or subject alternative name (section 4.2.1.6 of [RFC5280]) of the server certificate exists in ServerNames. """ i.e. it should honour subjectAltName. But Microsoft have a habit of ignoring their own standards, so if you're sure your certificate is good, then the only way to be sure is turn on client EAP tracing and dig in the logs to see why it's being refused. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 04/16/2011 02:42 AM, Casartello, Thomas wrote:
When you say client EAP tracing do you mean on the Microsoft side, or
Yes
is there something you can do on the freeradius side? When I lookup
No
eap tracing I get information about generating Microsoft EAP host tracing files, but it's an in unreadable format (.etl) that only Microsoft can decode and I can't seem to find a way to make any sense of it. Do you mean some other kind of tracing?
You need to read them on a windows system, obviously. IIRC you need to use the "tracerpt" utility.
Ok thank you. Thomas E. Casartello, Jr. Staff Assistant - Wireless/Linux Administrator Information Technology Wilson 105A Westfield State University -----Original Message----- From: freeradius-users-bounces+tcasartello=wsc.ma.edu@lists.freeradius.org [mailto:freeradius-users-bounces+tcasartello=wsc.ma.edu@lists.freeradius.org] On Behalf Of Phil Mayers Sent: Saturday, April 16, 2011 5:36 AM To: freeradius-users@lists.freeradius.org Subject: Re: WildCard/Subject Alternative Names Cert Question On 04/16/2011 02:42 AM, Casartello, Thomas wrote:
When you say client EAP tracing do you mean on the Microsoft side, or
Yes
is there something you can do on the freeradius side? When I lookup
No
eap tracing I get information about generating Microsoft EAP host tracing files, but it's an in unreadable format (.etl) that only Microsoft can decode and I can't seem to find a way to make any sense of it. Do you mean some other kind of tracing?
You need to read them on a windows system, obviously. IIRC you need to use the "tracerpt" utility. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Well I was pounding my head against the wall on this as I couldn't find anything meaningful in the EAP logs. I then spoke to my CA about it and they said they've seen numerous problems with Wildcard certs and RADIUS, and that they normally just give a free normal common name cert for the RADIUS server when customers have this problem, so they gave me one. Seems like Microsoft's client just doesn't like their wildcard certs. When I put the normal cert they gave me into my FreeRADIUS server, it worked fine. Thomas E. Casartello, Jr. Staff Assistant - Wireless/Linux Administrator Information Technology Wilson 105A Westfield State University -----Original Message----- From: freeradius-users-bounces+tcasartello=wsc.ma.edu@lists.freeradius.org [mailto:freeradius-users-bounces+tcasartello=wsc.ma.edu@lists.freeradius.org] On Behalf Of Casartello, Thomas Sent: Saturday, April 16, 2011 9:58 AM To: freeradius-users@lists.freeradius.org Subject: RE: WildCard/Subject Alternative Names Cert Question Ok thank you. Thomas E. Casartello, Jr. Staff Assistant - Wireless/Linux Administrator Information Technology Wilson 105A Westfield State University -----Original Message----- From: freeradius-users-bounces+tcasartello=wsc.ma.edu@lists.freeradius.org [mailto:freeradius-users-bounces+tcasartello=wsc.ma.edu@lists.freeradius.org] On Behalf Of Phil Mayers Sent: Saturday, April 16, 2011 5:36 AM To: freeradius-users@lists.freeradius.org Subject: Re: WildCard/Subject Alternative Names Cert Question On 04/16/2011 02:42 AM, Casartello, Thomas wrote:
When you say client EAP tracing do you mean on the Microsoft side, or
Yes
is there something you can do on the freeradius side? When I lookup
No
eap tracing I get information about generating Microsoft EAP host tracing files, but it's an in unreadable format (.etl) that only Microsoft can decode and I can't seem to find a way to make any sense of it. Do you mean some other kind of tracing?
You need to read them on a windows system, obviously. IIRC you need to use the "tracerpt" utility. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
Casartello, Thomas -
Phil Mayers