PEAP + EAP-TLS: client certificates
Hi, Sorry for the trivial questions but here I go: I think I configured freeradius correctly for EAP-TLS and PEAP with ms-chap with authenticates using the ntlm_auth helper application. If I try to connect from a Windows client via a wireless AP "WIFIAP1" with Active Directory "user1" I see this in the log: Thu Oct 22 10:05:49 2009 : Auth: Login OK: [user1/<via Auth-Type = EAP>] (from client WIFIAP1 port 0 via TLS tunnel) Thu Oct 22 10:05:49 2009 : Auth: Login OK: [user1/<via Auth-Type = EAP>] (from client WIFIAP1 port 48 cli 001a73f7f0f7) Dumb question: does this mean the client used PEAP to connect? Can I deduce this from "Auth-Type = EAP" and from "via TLS tunnel"? If connected via PEAP, authentication is "secure". However, I'd like to know if the data exchanged between the clients and the rest of the LAN via the Access Point is also encrypted and "cannot be sniffed". Does this "data encryption" depend only on the AP's encryption settings (eg. AES) and does FreeRadius get out of this equation after authentication? If I install a self-signed certificate on another Windows client and connect via EAP-TLS then I can connect without having to use an Active Directory user, as expected. I'm wondering if I can *require* both a certificate on the client machine AND an AD user authentication. In other words, how can I *require* PEAP-EAP-TLS? (currently, my freeradius configuration seems to require PEAP OR EAP-TLS) Freeradius version: 2.0.5 Thanks, Vieri
If I try to connect from a Windows client via a wireless AP "WIFIAP1" with Active Directory "user1" I see this in the log:
Thu Oct 22 10:05:49 2009 : Auth: Login OK: [user1/<via Auth-Type = EAP>] (from client WIFIAP1 port 0 via TLS tunnel) Thu Oct 22 10:05:49 2009 : Auth: Login OK: [user1/<via Auth-Type = EAP>] (from client WIFIAP1 port 48 cli 001a73f7f0f7)
Dumb question: does this mean the client used PEAP to connect? Can I deduce this from "Auth-Type = EAP" and from "via TLS tunnel"?
Can also be TTLS.
If connected via PEAP, authentication is "secure". However, I'd like to know if the data exchanged between the clients and the rest of the LAN via the Access Point is also encrypted and "cannot be sniffed". Does this "data encryption" depend only on the AP's encryption settings (eg. AES) and does FreeRadius get out of this equation after authentication?
Radius has nothing to do with that.
If I install a self-signed certificate on another Windows client and connect via EAP-TLS then I can connect without having to use an Active Directory user, as expected.
I'm wondering if I can *require* both a certificate on the client machine AND an AD user authentication. In other words, how can I *require* PEAP-EAP-TLS? (currently, my freeradius configuration seems to require PEAP OR EAP-TLS)
Freeradius version: 2.0.5
Don't know about that version. It should say how to require certificates for peap in eap.conf above peap section. At least it does in the current version. If it doesn't - it probably isn't supported, so upgrade. Ivan Kalik Kalik Informatika ISP
--- On Thu, 10/22/09, Ivan Kalik <tnt@kalik.net> wrote:
If I install a self-signed certificate on another Windows client and connect via EAP-TLS then I can connect without having to use an Active Directory user, as expected.
I'm wondering if I can *require* both a certificate on the client machine AND an AD user authentication. In other words, how can I *require* PEAP-EAP-TLS? (currently, my freeradius configuration seems to require PEAP OR EAP-TLS)
Freeradius version: 2.0.5
Don't know about that version. It should say how to require certificates for peap in eap.conf above peap section.
Is this the option? EAP-TLS-Require-Client-Cert = Yes I'm not sure where I should place it.
PS. No, default virtual server looks more like it. Won't hurt to try both. Ivan Kalik Kalik Informatika ISP
--- On Thu, 10/22/09, Vieri <rentorbuy@yahoo.com> wrote:
From: Vieri <rentorbuy@yahoo.com> Subject: Re: PEAP + EAP-TLS: client certificates To: freeradius-users@lists.freeradius.org Date: Thursday, October 22, 2009, 9:05 AM
--- On Thu, 10/22/09, Ivan Kalik <tnt@kalik.net> wrote:
If I install a self-signed certificate on another Windows client and connect via EAP-TLS then I can connect without having to use an Active Directory user, as expected.
I'm wondering if I can *require* both a certificate on the client machine AND an AD user authentication. In other words, how can I *require* PEAP-EAP-TLS? (currently, my freeradius configuration seems to require PEAP OR EAP-TLS)
Freeradius version: 2.0.5
Don't know about that version. It should say how to require certificates for peap in eap.conf above peap section.
Is this the option? EAP-TLS-Require-Client-Cert = Yes I'm not sure where I should place it.
If in eap.conf I have: peap { ... virtual_server = "inner-tunnel" } then maybe I should edit sites-available/inner-tunnel and add: server inner-tunnel { ... authorize { ... update control { ... EAP-TLS-Require-Client-Cert = Yes } } } Is this correct?
participants (2)
-
Ivan Kalik -
Vieri