Freeradius and OpenLDAP certificates
Hi to all, I'm new to Freeradius, but not new to OpenLDAP. I got Freeradius running with ldap-connection and Kerberos-authentication for searching the LDAP-tree. Authentication with radtest and a LDAP-user is working: ------------ radtest u1-verw geheim 192.168.56.47 1812 Passw0rd Sent Access-Request Id 23 from 0.0.0.0:50791 to 192.168.56.47:1812 length 77 User-Name = "u1-verw" User-Password = "geheim" NAS-IP-Address = 192.168.56.47 NAS-Port = 1812 Message-Authenticator = 0x00 Cleartext-Password = "geheim" Received Access-Accept Id 23 from 192.168.56.47:1812 to 192.168.56.47:50791 length 20 ------------ I don't want to use MySQL, instead I would like to use OpenLDAP Starting with OpenLDAP 2.5 you can create and manage user and host certificats with the overlay "autoca". You can copy your own CA and the key into OpenLDAP and then let OpenLDAP create the certificate and the key for users and hosts. The certificate will be stored in the attribute userCertificate;binary and userPrivateKey;binary the certificate is in DER-format. I now would like to use the certificates from OpenLDAP for authentication. How can I use certificates located in OpenLDAP for user- and host- authentication? Stefan
On Oct 3, 2023, at 10:05 AM, Stefan Kania <stefan@kania-online.de> wrote:
I got Freeradius running with ldap-connection and Kerberos-authentication for searching the LDAP-tree.
That's good.
Authentication with radtest and a LDAP-user is working:
That's good, but for future reference, you can't debug the server by looking at the client pass/fail output. There's a lot more going on.
Starting with OpenLDAP 2.5 you can create and manage user and host certificats with the overlay "autoca". You can copy your own CA and the key into OpenLDAP and then let OpenLDAP create the certificate and the key for users and hosts. The certificate will be stored in the attribute userCertificate;binary and userPrivateKey;binary the certificate is in DER-format. I now would like to use the certificates from OpenLDAP for authentication.
How can I use certificates located in OpenLDAP for user- and host- authentication?
FreeRADIUS only needs the CA cert. It doesn't need access to LDAP for all of the client certs. So put the CA cert into the FreeRADIUS configuration, and everything should just work. Alan DeKok.
Am 03.10.23 um 16:12 schrieb Alan DeKok:
On Oct 3, 2023, at 10:05 AM, Stefan Kania <stefan@kania-online.de> wrote:
I got Freeradius running with ldap-connection and Kerberos-authentication for searching the LDAP-tree.
That's good.
Authentication with radtest and a LDAP-user is working:
That's good, but for future reference, you can't debug the server by looking at the client pass/fail output. There's a lot more going on.
Starting with OpenLDAP 2.5 you can create and manage user and host certificats with the overlay "autoca". You can copy your own CA and the key into OpenLDAP and then let OpenLDAP create the certificate and the key for users and hosts. The certificate will be stored in the attribute userCertificate;binary and userPrivateKey;binary the certificate is in DER-format. I now would like to use the certificates from OpenLDAP for authentication.
How can I use certificates located in OpenLDAP for user- and host- authentication?
FreeRADIUS only needs the CA cert. It doesn't need access to LDAP for all of the client certs.
So put the CA cert into the FreeRADIUS configuration, and everything should just work.
That's what I did. I put the ca-certificat and the key into the subdirectory certs/ that is working :-). But now I wold like to use client certificates instead of username+password. So both, the server certificate and the client-certificate are from the same CA. So the client sends it's certificate to the radius-server and the server checks wther the certifcate belongs to the client or not and checks that the certificate is valide with the root-certificate of my ca. Is this right? But what I'm looking for ist how to configure freeradius to only use certificates and not username+password. Or did I understood this txpe of authentication totally wrong :-( Stefan
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
What do the logs say and what are you doing precisely? If you use for instance EAP-TLS then the check is mutual and both client and server have to carry the corresponding CAs (incl. intermediate certs) On October 3, 2023 4:34:36 PM GMT+02:00, Stefan Kania <stefan@kania-online.de> wrote:
Am 03.10.23 um 16:12 schrieb Alan DeKok:
On Oct 3, 2023, at 10:05 AM, Stefan Kania <stefan@kania-online.de> wrote:
I got Freeradius running with ldap-connection and Kerberos-authentication for searching the LDAP-tree.
That's good.
Authentication with radtest and a LDAP-user is working:
That's good, but for future reference, you can't debug the server by looking at the client pass/fail output. There's a lot more going on.
Starting with OpenLDAP 2.5 you can create and manage user and host certificats with the overlay "autoca". You can copy your own CA and the key into OpenLDAP and then let OpenLDAP create the certificate and the key for users and hosts. The certificate will be stored in the attribute userCertificate;binary and userPrivateKey;binary the certificate is in DER-format. I now would like to use the certificates from OpenLDAP for authentication.
How can I use certificates located in OpenLDAP for user- and host- authentication?
FreeRADIUS only needs the CA cert. It doesn't need access to LDAP for all of the client certs.
So put the CA cert into the FreeRADIUS configuration, and everything should just work.
That's what I did. I put the ca-certificat and the key into the subdirectory certs/ that is working :-). But now I wold like to use client certificates instead of username+password. So both, the server certificate and the client-certificate are from the same CA. So the client sends it's certificate to the radius-server and the server checks wther the certifcate belongs to the client or not and checks that the certificate is valide with the root-certificate of my ca. Is this right?
But what I'm looking for ist how to configure freeradius to only use certificates and not username+password. Or did I understood this txpe of authentication totally wrong :-(
Stefan
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Oct 3, 2023, at 10:34 AM, Stefan Kania <stefan@kania-online.de> wrote:
That's what I did. I put the ca-certificat and the key into the subdirectory certs/ that is working :-). But now I wold like to use client certificates instead of username+password. So both, the server certificate and the client-certificate are from the same CA. So the client sends it's certificate to the radius-server and the server checks wther the certifcate belongs to the client or not and checks that the certificate is valide with the root-certificate of my ca. Is this right?
Yes. That's common across all uses of TLS and client certificates. There's nothing special about how RADIUS uses client certs.
But what I'm looking for ist how to configure freeradius to only use certificates and not username+password. Or did I understood this txpe of authentication totally wrong :-(
Don't configure FreeRADIUS to do password lookups. Configure the client to use EAP-TLS, and there won't *be* passwords in the RADIUS packets. Alan DeKok.
participants (3)
-
Alan DeKok -
marki -
Stefan Kania