Hi, Before beginning, sorry for my bad English, I'm French. I'm trying to implement PEAP-MSCHAPV2 support in an existing and working configuration with EAP-TTLS + PAP, giving users a full support of eduroam. There are proxy radius maintained by our national "provider", and they test authentication every 15 minutes. When they only test EAP-TTLS authentication, it works, and this is a part of the output of freeradius -X. Login OK: [user/password] (from client proxyradius port 0 cli 02-00-00-00-00-01 via TLS tunnel) +- entering group post-auth {...} [sql] expand: %{User-Name} -> user@realm [sql] sql_set_user escaped user --> 'user@realm' [sql] expand: %{User-Password} -> password [sql] expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'user@realm', 'password', 'Access-Accept', '2010-06-17 18:17:02') [sql] expand: /var/log/freeradius/sqltrace.sql -> /var/log/freeradius/sqltrace.sql rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'user@realm', 'password', 'Access-Accept', '2010-06-17 18:17:02') rlm_sql (sql): Reserving sql socket id: 4 rlm_sql_mysql: query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'user@realm', 'password', 'Access-Accept', '2010-06-17 18:17:02') rlm_sql (sql): Released sql socket id: 4 ++[sql] returns ok expand: %{request:User-Name} -> user@realm ++[outer.reply] returns ok } # server inner-tunnel [ttls] Got tunneled reply code 2 User-Name := "user@realm" [ttls] Got tunneled Access-Accept [eap] Freeing handler ++[eap] returns ok Login OK: [anonymous/<via Auth-Type = EAP>] (from client proxyradius port 0 cli 02-00-00-00-00-01) Then, when I specify that our FreeRADIUS server support PEAP-MSCHAPV2, they test PEAP first and never receive an access-accept or access-reject request form only the outer identity, anonymous@realm. So there is the ouput : Login OK: [user/<via Auth-Type = mschap>] (from client proxyradius port 0 cli 02-00-00-00-00-01 via TLS tunnel) +- entering group post-auth {...} [sql] expand: %{User-Name} -> user@realm [sql] sql_set_user escaped user --> 'user@realm' [sql] expand: %{User-Password} -> [sql] ... expanding second conditional [sql] expand: %{Chap-Password} -> [sql] expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'user@realm', '', 'Access-Accept', '2010-06-17 15:32:07') [sql] expand: /var/log/freeradius/sqltrace.sql -> /var/log/freeradius/sqltrace.sql rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'user@realm', '', 'Access-Accept', '2010-06-17 15:32:07') rlm_sql (sql): Reserving sql socket id: 2 rlm_sql_mysql: query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'user@realm', '', 'Access-Accept', '2010-06-17 15:32:07') rlm_sql (sql): Released sql socket id: 2 ++[sql] returns ok expand: %{request:User-Name} -> user@realm ++[outer.reply] returns ok } # server inner-tunnel [ttls] Got tunneled reply code 2 User-Name := "user@realm" MS-CHAP2-Success = 0x54533d42374134413830313835384530453531383135373131384643424442444432464133384345413836 [ttls] Got tunneled Access-Accept [ttls] Got MS-CHAP2-Success, tunneling it to the client in a challenge. ++[eap] returns handled Sending Access-Challenge of id 9 to 193.51.182.121 port 35055 User-Name = "user@realm" EAP-Message = 0x010a005f1580000000551703010050f984b434f276e050b0697e427d30ddfe2c0d9cc56a8f5da6ab447bbabae115d8181dfce1b6e52f33fcd2a20d5e26f574b9be69fa946342eafbd7ea350d5782490593a260401dae6b1c71f16f30b3ab38 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xcda13382c4ab2647095b27820a4b1850 Finished request 11. Going to the next request Waking up in 4.7 seconds. And then, the proxyradius sends new Access-Request and the outer identity is never accepted. But the user@realm is authenticated... I'm sorry I know you need more informations about my confs and outputs, but I don't want to make this post longer than it is... So, I can post more informations... Thank you for helping me ! J-P. _________________________________________________________________ Installez gratuitement les nouvelles Emoch'ticones ! http://www.ilovemessenger.fr/emoticones/telecharger-emoticones-emochticones....
Hi,
I'm trying to implement PEAP-MSCHAPV2 support in an existing and working configuration with EAP-TTLS + PAP, giving users a full support of eduroam. There are proxy radius maintained by our national "provider", and they test authentication every 15 minutes.
When they only test EAP-TTLS authentication, it works, and this is a part of the output of freeradius -X.
can I ask a quick question. do you need/want your own users to use PEAP....whether you choose to use EAP-TTLS/PAP or PEAP/MSCHAPv2 is up to you for your users....a visitor to your site should be able to use PEAP if their home site supports it as your FreeRADIUS boxes will just proxy the request to the national proxies. I'm not sure why the central test should be forcing you to support all types of EAP - it should only check that you are working for the EAP methods that you, as an IdP support.
} # server inner-tunnel [ttls] Got tunneled reply code 2 ^^^^^^
eh? I thought you said this second test was a PEAP test. are you sure it is as this looks very much like an EAP-TTLS/MSCHAPv2 test
Sending Access-Challenge of id 9 to 193.51.182.121 port 35055 User-Name = "user@realm" EAP-Message = 0x010a005f1580000000551703010050f984b434f276e050b0697e427d30ddfe2c0d9cc56a8f5da6ab447bbabae115d8181dfce1b6e52f33fcd2a20d5e26f574b9be69fa946342eafbd7ea350d5782490593a260401dae6b1c71f16f30b3ab38 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xcda13382c4ab2647095b27820a4b1850
theres plenty in the FreeRADIUS docs about 'why do I not get anything after an Access-Challenge' - usually down to certs. alan
Date: Thu, 17 Jun 2010 22:14:45 +0100 From: A.L.M.Buxey@lboro.ac.uk To: freeradius-users@lists.freeradius.org Subject: Re: eduroam PEAP + TTLS
Hi,
Hi thank you very much for you quick answer !
I'm trying to implement PEAP-MSCHAPV2 support in an existing and working configuration with EAP-TTLS + PAP, giving users a full support of eduroam. There are proxy radius maintained by our national "provider", and they test authentication every 15 minutes.
When they only test EAP-TTLS authentication, it works, and this is a part of the output of freeradius -X.
can I ask a quick question. do you need/want your own users to use PEAP....whether you choose to use EAP-TTLS/PAP or PEAP/MSCHAPv2 is up to you for your users....a visitor to your site should be able to use PEAP if their home site supports it as your FreeRADIUS boxes will just proxy the request to the national proxies.
I'm not sure why the central test should be forcing you to support all types of EAP - it should only check that you are working for the EAP methods that you, as an IdP support.
I need my own users to use PEAP because on Windows client, there is no support of EAP-TTLS without installing a soft to implement it. And I want to use Active Directory because I can't use actual password field in OpenLDAP with PEAP. Otherwise you're right, this is how eduroam works.
} # server inner-tunnel [ttls] Got tunneled reply code 2 ^^^^^^
eh? I thought you said this second test was a PEAP test. are you sure it is as this looks very much like an EAP-TTLS/MSCHAPv2 test
That's right, whereas before, I've got this line : Login OK: [user/<via Auth-Type = mschap>] (from client proxyradius port 0 cli 02-00-00-00-00-01 via TLS tunnel) Which occurs after these lines : Found Auth-Type = MSCHAP +- entering group MS-CHAP {...} [mschap] Told to do MS-CHAPv2 for user@realm with NT-Password [mschap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [mschap] expand: --username=%{Stripped-User-Name:-%{mschap:User-Name:-None}} -> --username=user [mschap] mschap2: d6 [mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=45d29cf49c25ed29 [mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=6c2dbac31a48ddf0cbf4a1c8e6c5c1262ec6b8f77bb9ae46 Exec-Program output: NT_KEY: 64BA19DEDFDDB5A3ABAC7FEB95BF671F Exec-Program-Wait: plaintext: NT_KEY: 64BA19DEDFDDB5A3ABAC7FEB95BF671F Exec-Program: returned: 0 ++[mschap] returns ok So, I suppose that it's really a PEAP-MSCHAPV2 test. Maybe I've made something wrong in the order of Auth-Type in my conf files ?
Sending Access-Challenge of id 9 to 193.51.182.121 port 35055 User-Name = "user@realm" EAP-Message = 0x010a005f1580000000551703010050f984b434f276e050b0697e427d30ddfe2c0d9cc56a8f5da6ab447bbabae115d8181dfce1b6e52f33fcd2a20d5e26f574b9be69fa946342eafbd7ea350d5782490593a260401dae6b1c71f16f30b3ab38 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xcda13382c4ab2647095b27820a4b1850
theres plenty in the FreeRADIUS docs about 'why do I not get anything after an Access-Challenge' - usually down to certs.
I've already added my certs in the Active Directory, as it's said in eap.conf and that solved the problem for PEAP-MSCHAPV2. So now, I can use default PEAP options in the native wpa supplicant on Windows and that works. I'm gonna look for more about this.
alan
J-P. _________________________________________________________________ Vous voulez regarder la TV directement depuis votre PC ? C'est très simple avec Windows 7 http://clk.atdmt.com/FRM/go/229960614/direct/01/
Finally, you're right, there is a confusion with PEAP and TTLS... When I say our FreeRADIUS server doesn't support TTLS but only PEAP, that works... So this is the true question, what error in my configuration can cause this ? Thank you very much ! J-P. From: legdf@hotmail.com To: freeradius-users@lists.freeradius.org Subject: RE: eduroam PEAP + TTLS Date: Fri, 18 Jun 2010 07:56:33 +0000
Date: Thu, 17 Jun 2010 22:14:45 +0100 From: A.L.M.Buxey@lboro.ac.uk To: freeradius-users@lists.freeradius.org Subject: Re: eduroam PEAP + TTLS
Hi,
Hi thank you very much for you quick answer !
I'm trying to implement PEAP-MSCHAPV2 support in an existing and working configuration with EAP-TTLS + PAP, giving users a full support of eduroam. There are proxy radius maintained by our national "provider", and they test authentication every 15 minutes.
When they only test EAP-TTLS authentication, it works, and this is a part of the output of freeradius -X.
can I ask a quick question. do you need/want your own users to use PEAP....whether you choose to use EAP-TTLS/PAP or PEAP/MSCHAPv2 is up to you for your users....a visitor to your site should be able to use PEAP if their home site supports it as your FreeRADIUS boxes will just proxy the request to the national proxies.
I'm not sure why the central test should be forcing you to support all types of EAP - it should only check that you are working for the EAP methods that you, as an IdP support.
I need my own users to use PEAP because on Windows client, there is no support of EAP-TTLS without installing a soft to implement it. And I want to use Active Directory because I can't use actual password field in OpenLDAP with PEAP. Otherwise you're right, this is how eduroam works.
} # server inner-tunnel [ttls] Got tunneled reply code 2 ^^^^^^
eh? I thought you said this second test was a PEAP test. are you sure it is as this looks very much like an EAP-TTLS/MSCHAPv2 test
That's right, whereas before, I've got this line : Login OK: [user/<via Auth-Type = mschap>] (from client proxyradius port 0 cli 02-00-00-00-00-01 via TLS tunnel) Which occurs after these lines : Found Auth-Type = MSCHAP +- entering group MS-CHAP {...} [mschap] Told to do MS-CHAPv2 for user@realm with NT-Password [mschap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [mschap] expand: --username=%{Stripped-User-Name:-%{mschap:User-Name:-None}} -> --username=user [mschap] mschap2: d6 [mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=45d29cf49c25ed29 [mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=6c2dbac31a48ddf0cbf4a1c8e6c5c1262ec6b8f77bb9ae46 Exec-Program output: NT_KEY: 64BA19DEDFDDB5A3ABAC7FEB95BF671F Exec-Program-Wait: plaintext: NT_KEY: 64BA19DEDFDDB5A3ABAC7FEB95BF671F Exec-Program: returned: 0 ++[mschap] returns ok So, I suppose that it's really a PEAP-MSCHAPV2 test. Maybe I've made something wrong in the order of Auth-Type in my conf files ?
Sending Access-Challenge of id 9 to 193.51.182.121 port 35055 User-Name = "user@realm" EAP-Message = 0x010a005f1580000000551703010050f984b434f276e050b0697e427d30ddfe2c0d9cc56a8f5da6ab447bbabae115d8181dfce1b6e52f33fcd2a20d5e26f574b9be69fa946342eafbd7ea350d5782490593a260401dae6b1c71f16f30b3ab38 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xcda13382c4ab2647095b27820a4b1850
theres plenty in the FreeRADIUS docs about 'why do I not get anything after an Access-Challenge' - usually down to certs.
I've already added my certs in the Active Directory, as it's said in eap.conf and that solved the problem for PEAP-MSCHAPV2. So now, I can use default PEAP options in the native wpa supplicant on Windows and that works. I'm gonna look for more about this.
alan
J-P. Envie de plus d'originalité dans vos conversations ? Téléchargez gratuitement les Emoch'ticones ! _________________________________________________________________ Hotmail : Simple et Efficace qui vous facilite la vie… Découvrez la NOW génération ! http://www.windowslive.fr/hotmail/nowgeneration/
Ok, Here is my eap.conf. eap { default_eap_type = peap timer_expire = 60 ignore_unknown_eap_types = yes cisco_accounting_username_bug = no max_sessions = 4096 tls { certdir = ${confdir}/certs cadir = ${confdir}/certs private_key_file = ${certdir}/cert.key certificate_file = ${certdir}/cert-3169-cert.pem CA_file = ${cadir}/chain-3169-cert.pem dh_file = ${certdir}/dh random_file = ${certdir}/random cipher_list = "DEFAULT" make_cert_command = "${certdir}/bootstrap" cache { enable = no lifetime = 24 # hours max_entries = 255 } } ttls { default_eap_type = md5 copy_request_to_tunnel = yes use_tunneled_reply = yes virtual_server = "inner-tunnel" include_length = yes } peap { default_eap_type = mschapv2 copy_request_to_tunnel = yes use_tunneled_reply = yes proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" } mschapv2 { } } I'm sorry
Date: Fri, 18 Jun 2010 13:27:28 +0100 From: A.L.M.Buxey@lboro.ac.uk To: freeradius-users@lists.freeradius.org Subject: Re: eduroam PEAP + TTLS
Hi,
So this is the true question, what error in my configuration can cause this ?
I cannot read minds..and you havent supplied eg eap.conf (obfuscated as is reasonable)
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
_________________________________________________________________ La boîte mail NOW Génération vous permet de réunir toutes vos boîtes mail dans Hotmail ! http://www.windowslive.fr/hotmail/nowgeneration/
Hi, I need to have EAP-TTLS working with LDAP bind and PEAP-MSCHAPV2 with Samba + Winbind + Active Directory. I've got winbind very unstable... I can successfully authenticate using eapol_test but a few minutes later, I've got a MPPE keys mismatch. If I restart winbind, I can authenticate few times and then, it stops working. I'm not really sure to understand how I have to set "Auth-Type" in inner-tunnel and/or default (sites-enabled). I've got : Auth-Type MS-CHAP { mschap } and then Auth-Type LDAP { ldap } in the authenticate section. I've got mschap then ldap in authorize section. Is there a mistake here ? This is the end of the output of eapol_test for PEAP when it fails : RADIUS packet matching with station decapsulated EAP packet (code=1 id=11 len=91) from RADIUS server: EAP-Request-PEAP (25) EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Request id=11 method=25 vendor=0 vendorMethod=0 EAP: EAP entering state METHOD SSL: Received packet(len=91) - Flags 0x00 EAP-PEAP: received 85 bytes encrypted data for Phase 2 EAP-PEAP: Decrypted Phase 2 EAP - hexdump(len=47): 1a 03 0a 00 2e 53 3d 39 38 37 31 42 31 30 45 38 46 35 35 36 30 41 44 34 37 32 36 36 34 43 34 43 35 45 31 42 32 46 34 39 44 35 36 46 39 39 36 EAP-PEAP: received Phase 2: code=1 identifier=11 length=51 EAP-PEAP: Phase 2 Request: type=26 EAP-MSCHAPV2: RX identifier 11 mschapv2_id 10 EAP-MSCHAPV2: Received success EAP-MSCHAPV2: Invalid authenticator response in success request EAP: method process -> ignore=FALSE methodState=MAY_CONT decision=FAIL EAP: EAP entering state SEND_RESPONSE EAP: EAP entering state IDLE Signal 2 received - terminating EAPOL: EAP key not available EAP: deinitialize previously used EAP method (25, PEAP) at EAP deinit ENGINE: engine deinit MPPE keys OK: 0 mismatch: 1 FAILURE And then this is the end of the output when it works. RADIUS packet matching with station MS-MPPE-Send-Key (sign) - hexdump(len=32): 82 7a 3e ac 0f 7c c7 93 ac af fb d3 02 d7 bd 84 61 44 62 82 82 8b 3d e0 f2 47 27 30 9c a6 12 cb MS-MPPE-Recv-Key (crypt) - hexdump(len=32): fb 0b 78 97 7c 84 13 38 ba 36 77 b8 88 2b b2 9f 3b 79 4c 87 a7 fa 68 e0 3a e6 0c 47 4d 43 34 5c decapsulated EAP packet (code=3 id=12 len=4) from RADIUS server: EAP Success EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Success EAP: EAP entering state SUCCESS CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully EAPOL: IEEE 802.1X for plaintext connection; no EAPOL-Key frames required WPA: EAPOL processing complete EAPOL: SUPP_PAE entering state AUTHENTICATED EAPOL: SUPP_BE entering state RECEIVE EAPOL: SUPP_BE entering state SUCCESS EAPOL: SUPP_BE entering state IDLE eapol_sm_cb: success=1 EAPOL: Successfully fetched key (len=32) PMK from EAPOL - hexdump(len=32): fb 0b 78 97 7c 84 13 38 ba 36 77 b8 88 2b b2 9f 3b 79 4c 87 a7 fa 68 e0 3a e6 0c 47 4d 43 34 5c EAP: deinitialize previously used EAP method (25, PEAP) at EAP deinit ENGINE: engine deinit MPPE keys OK: 1 mismatch: 0 SUCCESS I finally notice that if I use eapol_test for an TTLS authentication, then, immediately, PEAP doesn't work anymore. If I restart winbind, it works again. I really don't understand... And because I don't know where is the problem, I've got some difficulties to give you the good informations. Thank you for your help ! J-P. From: legdf@hotmail.com To: freeradius-users@lists.freeradius.org Subject: RE: eduroam PEAP + TTLS Date: Fri, 18 Jun 2010 13:18:45 +0000 Ok, Here is my eap.conf. eap { default_eap_type = peap timer_expire = 60 ignore_unknown_eap_types = yes cisco_accounting_username_bug = no max_sessions = 4096 tls { certdir = ${confdir}/certs cadir = ${confdir}/certs private_key_file = ${certdir}/cert.key certificate_file = ${certdir}/cert-3169-cert.pem CA_file = ${cadir}/chain-3169-cert.pem dh_file = ${certdir}/dh random_file = ${certdir}/random cipher_list = "DEFAULT" make_cert_command = "${certdir}/bootstrap" cache { enable = no lifetime = 24 # hours max_entries = 255 } } ttls { default_eap_type = md5 copy_request_to_tunnel = yes use_tunneled_reply = yes virtual_server = "inner-tunnel" include_length = yes } peap { default_eap_type = mschapv2 copy_request_to_tunnel = yes use_tunneled_reply = yes proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" } mschapv2 { } } I'm sorry
Date: Fri, 18 Jun 2010 13:27:28 +0100 From: A.L.M.Buxey@lboro.ac.uk To: freeradius-users@lists.freeradius.org Subject: Re: eduroam PEAP + TTLS
Hi,
So this is the true question, what error in my configuration can cause this ?
I cannot read minds..and you havent supplied eg eap.conf (obfuscated as is reasonable)
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Votre vie privée l'est-elle vraiment ? Internet Explorer 8 vous protège gratuitement ! _________________________________________________________________ Vous voulez regarder la TV directement depuis votre PC ? C'est très simple avec Windows 7 http://clk.atdmt.com/FRM/go/229960614/direct/01/
Jean-Philippe Ghibaudo wrote:
I need to have EAP-TTLS working with LDAP bind and PEAP-MSCHAPV2 with Samba + Winbind + Active Directory.
That should be possible. Follow the guides, and it should work.
I've got winbind very unstable... I can successfully authenticate using eapol_test but a few minutes later, I've got a MPPE keys mismatch. If I restart winbind, I can authenticate few times and then, it stops working.
That sounds like a Samba problem. See https://bugzilla.samba.org/show_bug.cgi?id=6563
I'm not really sure to understand how I have to set "Auth-Type" in inner-tunnel and/or default (sites-enabled).
Don't. Leave the defaults alone. Only make the changes which are recommended by the guides (e.g. deployingradius.com)
I've got : ... in the authenticate section. I've got mschap then ldap in authorize section.
Is there a mistake here ?
No.
This is the end of the output of eapol_test for PEAP when it fails : .. EAP-MSCHAPV2: Invalid authenticator response in success request
It looks like that Samba bug. Alan DeKok.
Thank you so much, you were right, once more as it seems, I've just downgraded samba to native version (3.2.5) on my Debian Lenny and it works ! I had'nt managed to have samba 3.2.5 working the first time so I have tried 3.5.3 but with the same .conf, it works perfectly.
Date: Mon, 21 Jun 2010 16:46:05 +0200 From: aland@deployingradius.com To: freeradius-users@lists.freeradius.org Subject: Re: eduroam PEAP + TTLS
Jean-Philippe Ghibaudo wrote:
I need to have EAP-TTLS working with LDAP bind and PEAP-MSCHAPV2 with Samba + Winbind + Active Directory.
That should be possible. Follow the guides, and it should work.
I've got winbind very unstable... I can successfully authenticate using eapol_test but a few minutes later, I've got a MPPE keys mismatch. If I restart winbind, I can authenticate few times and then, it stops working.
That sounds like a Samba problem. See
https://bugzilla.samba.org/show_bug.cgi?id=6563
I'm not really sure to understand how I have to set "Auth-Type" in inner-tunnel and/or default (sites-enabled).
Don't. Leave the defaults alone. Only make the changes which are recommended by the guides (e.g. deployingradius.com)
I've got : ... in the authenticate section. I've got mschap then ldap in authorize section.
Is there a mistake here ?
No.
This is the end of the output of eapol_test for PEAP when it fails : .. EAP-MSCHAPV2: Invalid authenticator response in success request
It looks like that Samba bug.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
_________________________________________________________________ Hotmail : Simple et Efficace qui vous facilite la vie… Découvrez la NOW génération ! http://www.windowslive.fr/hotmail/nowgeneration/
Hi list, Is it possible to support multiple client CA certificates? Suppose we want to support different customer groups. Each group has its own CA certificate. Can freeradius support that? Thanks a lot! Gina Zhang
On 06/21/2010 12:00 PM, Zhang, Ge (Gina) wrote:
Hi list,
Is it possible to support multiple client CA certificates? Suppose we want to support different customer groups. Each group has its own CA certificate. Can freeradius support that?
Yes, if the CA's are in a bundle set CA_file in eap.conf, if they are individual in a directory set CA_path instead. If you don't understand the above read some OpenSSL documentation, man SSL_CTX_load_verify_locations would be a good place to start. -- John Dennis <jdennis@redhat.com> Looking to carve out IT costs? www.redhat.com/carveoutcosts/
John, Thank you very much for the information! I will try it. Regards, Gina -----Original Message----- From: John Dennis [mailto:jdennis@redhat.com] Sent: Monday, June 21, 2010 11:20 AM To: FreeRadius users mailing list Cc: Zhang, Ge (Gina) Subject: Re: Can freeradius support multiple client CA certificates? On 06/21/2010 12:00 PM, Zhang, Ge (Gina) wrote:
Hi list,
Is it possible to support multiple client CA certificates? Suppose we want to support different customer groups. Each group has its own CA certificate. Can freeradius support that?
Yes, if the CA's are in a bundle set CA_file in eap.conf, if they are individual in a directory set CA_path instead. If you don't understand the above read some OpenSSL documentation, man SSL_CTX_load_verify_locations would be a good place to start. -- John Dennis <jdennis@redhat.com> Looking to carve out IT costs? www.redhat.com/carveoutcosts/
John, Is it possible to support multiple sets of server certificates so that one group customer would use one server CA file? Thanks a lot! Regards, Gina Zhang -----Original Message----- From: freeradius-users-bounces+gina.zhang=alcatel-lucent.com@lists.freeradius.org [mailto:freeradius-users-bounces+gina.zhang=alcatel-lucent.com@lists.freeradius.org] On Behalf Of Zhang, Ge (Gina) Sent: Monday, June 21, 2010 11:52 AM To: John Dennis; FreeRadius users mailing list Subject: RE: Can freeradius support multiple client CA certificates? John, Thank you very much for the information! I will try it. Regards, Gina -----Original Message----- From: John Dennis [mailto:jdennis@redhat.com] Sent: Monday, June 21, 2010 11:20 AM To: FreeRadius users mailing list Cc: Zhang, Ge (Gina) Subject: Re: Can freeradius support multiple client CA certificates? On 06/21/2010 12:00 PM, Zhang, Ge (Gina) wrote:
Hi list,
Is it possible to support multiple client CA certificates? Suppose we want to support different customer groups. Each group has its own CA certificate. Can freeradius support that?
Yes, if the CA's are in a bundle set CA_file in eap.conf, if they are individual in a directory set CA_path instead. If you don't understand the above read some OpenSSL documentation, man SSL_CTX_load_verify_locations would be a good place to start. -- John Dennis <jdennis@redhat.com> Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 06/21/2010 01:01 PM, Zhang, Ge (Gina) wrote:
John,
Is it possible to support multiple sets of server certificates so that one group customer would use one server CA file?
This is a basic PKI question, not really FreeRADIUS. In PKI there can only be one certificate per server. You would have to have different servers with different names and addresses. The purpose of a server certificate is to prove to the client the server it is connecting to is really the server it expects and is not a man in the middle attack. There is no way to configure the server to present different certificates based on which client is connecting and there really isn't much point. I'm not sure why you would want to do this. -- John Dennis <jdennis@redhat.com> Looking to carve out IT costs? www.redhat.com/carveoutcosts/
John, Thanks a lot for your response. If I configure multiple virtual server, would it be possible? Thanks a lot, Gina Zhang -----Original Message----- From: John Dennis [mailto:jdennis@redhat.com] Sent: Monday, June 21, 2010 12:34 PM To: Zhang, Ge (Gina) Cc: FreeRadius users mailing list Subject: Re: Can freeradius support multiple client CA certificates? On 06/21/2010 01:01 PM, Zhang, Ge (Gina) wrote:
John,
Is it possible to support multiple sets of server certificates so that one group customer would use one server CA file?
This is a basic PKI question, not really FreeRADIUS. In PKI there can only be one certificate per server. You would have to have different servers with different names and addresses. The purpose of a server certificate is to prove to the client the server it is connecting to is really the server it expects and is not a man in the middle attack. There is no way to configure the server to present different certificates based on which client is connecting and there really isn't much point. I'm not sure why you would want to do this. -- John Dennis <jdennis@redhat.com> Looking to carve out IT costs? www.redhat.com/carveoutcosts/
On 06/21/2010 02:38 PM, Zhang, Ge (Gina) wrote:
John,
Thanks a lot for your response. If I configure multiple virtual server, would it be possible?
A (FreeRADIUS) virtual server does not have a different IP address nor would it have different subject names nor subject alt names. I'm not getting the feeling you understand how PKI works, it might be worthwhile to read up on it. -- John Dennis <jdennis@redhat.com> Looking to carve out IT costs? www.redhat.com/carveoutcosts/
John, Thank you very much for your advise! Regards, Gina Zhang -----Original Message----- From: John Dennis [mailto:jdennis@redhat.com] Sent: Monday, June 21, 2010 1:54 PM To: Zhang, Ge (Gina) Cc: FreeRadius users mailing list Subject: Re: Can freeradius support multiple client CA certificates? On 06/21/2010 02:38 PM, Zhang, Ge (Gina) wrote:
John,
Thanks a lot for your response. If I configure multiple virtual server, would it be possible?
A (FreeRADIUS) virtual server does not have a different IP address nor would it have different subject names nor subject alt names. I'm not getting the feeling you understand how PKI works, it might be worthwhile to read up on it. -- John Dennis <jdennis@redhat.com> Looking to carve out IT costs? www.redhat.com/carveoutcosts/
On 21 Jun 2010, at 19:53, John Dennis wrote:
A (FreeRADIUS) virtual server does not have a different IP address nor would it have different subject names nor subject alt names.
I'm not getting the feeling you understand how PKI works, it might be worthwhile to read up on it.
When testing a new server certificate with a different chain to a new root CA, I set up a separate eap module with different certificates. The two EAP modules were selected using the realm in the username -- something@cam.ac.uk gave the normal certificates and something@test.cam.ac.uk gave the new ones but used the same backend SQL lookup to find account information. - Bob
Bob, Thank you so much for your help! I am going to try that on my system. Regards, Gina Zhang -----Original Message----- From: Robert Franklin [mailto:rcf34@cam.ac.uk] Sent: Monday, June 21, 2010 3:03 PM To: FreeRadius users mailing list Cc: Zhang, Ge (Gina) Subject: Re: Can freeradius support multiple client CA certificates? On 21 Jun 2010, at 19:53, John Dennis wrote:
A (FreeRADIUS) virtual server does not have a different IP address nor would it have different subject names nor subject alt names.
I'm not getting the feeling you understand how PKI works, it might be worthwhile to read up on it.
When testing a new server certificate with a different chain to a new root CA, I set up a separate eap module with different certificates. The two EAP modules were selected using the realm in the username -- something@cam.ac.uk gave the normal certificates and something@test.cam.ac.uk gave the new ones but used the same backend SQL lookup to find account information. - Bob
On 06/21/2010 04:03 PM, Robert Franklin wrote:
When testing a new server certificate with a different chain to a new root CA, I set up a separate eap module with different certificates.
Ah, good point and good suggestion. I had forgotten each module instance has it's own SSL context. -- John Dennis <jdennis@redhat.com> Looking to carve out IT costs? www.redhat.com/carveoutcosts/
participants (6)
-
Alan Buxey -
Alan DeKok -
Jean-Philippe Ghibaudo -
John Dennis -
Robert Franklin -
Zhang, Ge (Gina)