I'm configuring freeradius server with opensc client-side. I'd like to say if freeradius has support for PKCS#11. In wpa_supplicant log I see how client writes TLS-ChangeCipherSpec and TLS-Finished. This means that the server has authenticated but freeradius show TLS error because client do not send certificate. I think it's because PKCS#11. I'm not sure, but I really need to know. I'm using freeradius-server-2.0.4 Thanks a lot
I have no idea if freeradius does or does not support PKCS#11 but what does tell you the log of the freeradius server? (Output of: radiusd -X ; i.e. the standard email of this mailing list.) Have a nice day? Am 29.06.2008 um 13:02 schrieb Sergio Yébenes Moreno:
I'm configuring freeradius server with opensc client-side. I'd like to say if freeradius has support for PKCS#11. In wpa_supplicant log I see how client writes TLS-ChangeCipherSpec and TLS-Finished. This means that the server has authenticated but freeradius show TLS error because client do not send certificate. I think it's because PKCS#11. I'm not sure, but I really need to know. I'm using freeradius-server-2.0.4
Thanks a lot
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html
Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841
Hi Sergio, In message <48676BB9.1040409@alumnos.upm.es>, Sergio Yébenes Moreno <sergioyebenes@alumnos.upm.es> writes
I'm configuring freeradius server with opensc client-side. I'd like to say if freeradius has support for PKCS#11. In wpa_supplicant log I see how client writes TLS-ChangeCipherSpec and TLS-Finished. This means that the server has authenticated but freeradius show TLS error because client do not send certificate. I think it's because PKCS#11. I'm not sure, but I really need to know. I'm using freeradius-server-2.0.4
The server doesn't care where the certificates and private key are stored on the client side; the use of PKCS#11 and a smartcard or token is irrelevant and the server needs no special support for PKCS#11. The only way the use of the smartcard or token could change things is if your supplicant needs the entire certificate chain on the smartcard or token, and you've only loaded the certificate itself. The only reason the server would need PKCS#11 support is if the server's certificate were on a smartcard or token. It's an intriguing idea, but I have my doubts that a smartcard or token would keep up with the demands placed on it. As Nicolas said, the debug log on the server side almost certainly contains the answer to this - that's where you should be looking. Run radiusd -X and attempt to authenticate using wpa_supplicant and your token or smartcard. What does the server's debug output say? If you can see the server rejecting the authentication attempt, look back for the reason. If the server accepts the authentication attempt, the problem is elsewhere. Best wishes, David -- David Wood david@wood2.org.uk
David Wood escribió:
Hi Sergio,
In message <48676BB9.1040409@alumnos.upm.es>, Sergio Yébenes Moreno <sergioyebenes@alumnos.upm.es> writes
I'm configuring freeradius server with opensc client-side. I'd like to say if freeradius has support for PKCS#11. In wpa_supplicant log I see how client writes TLS-ChangeCipherSpec and TLS-Finished. This means that the server has authenticated but freeradius show TLS error because client do not send certificate. I think it's because PKCS#11. I'm not sure, but I really need to know. I'm using freeradius-server-2.0.4
The server doesn't care where the certificates and private key are stored on the client side; the use of PKCS#11 and a smartcard or token is irrelevant and the server needs no special support for PKCS#11.
The only way the use of the smartcard or token could change things is if your supplicant needs the entire certificate chain on the smartcard or token, and you've only loaded the certificate itself.
The only reason the server would need PKCS#11 support is if the server's certificate were on a smartcard or token. It's an intriguing idea, but I have my doubts that a smartcard or token would keep up with the demands placed on it.
As Nicolas said, the debug log on the server side almost certainly contains the answer to this - that's where you should be looking.
Run radiusd -X and attempt to authenticate using wpa_supplicant and your token or smartcard. What does the server's debug output say? If you can see the server rejecting the authentication attempt, look back for the reason. If the server accepts the authentication attempt, the problem is elsewhere.
Best wishes,
David Hi David
"The server doesn't care where the certificates and private key are stored on the client side; the use of PKCS#11 and a smartcard or token is irrelevant and the server needs no special support for PKCS#11." That rules. It's true. I've seen in wpa_supplicant log that can't access to the private key (fuckin' key_id), but even so, client makes client_certificate, client_key_exchange, ....and tcpdump shows RADIUS-Access-Request....I'll ask for this at opensc-project but looks like you know about you're speaking. Do you know if freeradius can make ocsp request? In /freeradius-server-2.0.5/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c they mention ocsp protocol but in eap.conf there are nothing about this!! Thanks
participants (3)
-
David Wood -
Nicolas Goutte -
Sergio Yébenes Moreno