freeRADIUS 3.0.4, NetworkManager 1.0.6-27.el7, and wpa_supplicant v2.0 client side cert issues?
Hello, I wanted to post what I had to do in order to get NetworkManager EAP-TLS connections to work. I am hoping that someone can tell me if I am wrong or, if the issue is NetworkManager. 1. eapol_test works fine. 2. Direct wpa_supplicant config works fine. 3. Unless importing the radiusd CA into the client, a unknown CA error is thrown. Now, I dont like the idea of doing the below; however, it was the only way on fc22 with the versions stated above to get connected via NetworkManager. AS root : > cp /home/user/CERTS/radius_ca.pem /etc/pki/ca-trust/source/anchors/ >update-ca-trust 5. Connections to EAP-TLS via NetworkManager now work. 6. PROBLEM, I don't want a private CA set globally. A vpn connection does not do this when using private CA. Also, wpa_supplicant works with out the CA being imported into the global store. 7. I REALLY DONT LIKE THE SELF SIGNED / PRIVATE CA GLOBALLY. Does anyone see any obvious mistakes in what a described above? Ollie Teasley Linux Administrator ISMELL.SHOES, LLC
On Tue, Feb 09, 2016 at 06:39:10PM -0600, John Teasley wrote:
6. PROBLEM, I don't want a private CA set globally. A vpn connection does not do this when using private CA. Also, wpa_supplicant works with out the CA being imported into the global store.
Ask the NetworkManager guys where they look for the root CA and if it's configurable? That's not really a FreeRADIUS problem.
7. I REALLY DONT LIKE THE SELF SIGNED / PRIVATE CA GLOBALLY.
Does anyone see any obvious mistakes in what a described above?
With EAP-TLS you are always going to have to install the private root CA on the clients. It just happens with wpa_supplicant you are configuring it to look where you want it to. EAP-TLS depends on running a certificate infrastructure. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
Thanks. Ollie Teasley Linux Administrator ISMELL.SHOES, LLC On Tue, Feb 9, 2016 at 6:47 PM, Matthew Newton <mcn4@leicester.ac.uk> wrote:
On Tue, Feb 09, 2016 at 06:39:10PM -0600, John Teasley wrote:
6. PROBLEM, I don't want a private CA set globally. A vpn connection does not do this when using private CA. Also, wpa_supplicant works with out the CA being imported into the global store.
Ask the NetworkManager guys where they look for the root CA and if it's configurable? That's not really a FreeRADIUS problem.
7. I REALLY DONT LIKE THE SELF SIGNED / PRIVATE CA GLOBALLY.
Does anyone see any obvious mistakes in what a described above?
With EAP-TLS you are always going to have to install the private root CA on the clients. It just happens with wpa_supplicant you are configuring it to look where you want it to.
EAP-TLS depends on running a certificate infrastructure.
Matthew
-- Matthew Newton, Ph.D. <mcn4@le.ac.uk>
Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
connections to work. I am hoping that someone can tell me if I am wrong or, if the issue is NetworkManager.
NetworkManager allows you to configure the filename of the CA; there is no need to dump the CA cert in a globally used place.
AS root : > cp /home/user/CERTS/radius_ca.pem /etc/pki/ca-trust/source/anchors/ >update-ca-trust
Why? Many if not all UIs for NetworkManager ask you for the filename of the CA certificate directly. I'm attaching a screenshot of KDE5's Plasma NM network editor (in German, sorry). It very explicitly asks for *CA Certificate* along with a file selection box. If your UI to NM does not give you that, time to change the UI frontend.
7. I REALLY DONT LIKE THE SELF SIGNED / PRIVATE CA GLOBALLY.
Does anyone see any obvious mistakes in what a described above?
Independently of UI, there are scripts that set up NetworkManager via D-Bus mostly automatically; and they of course store the CA certificate in a custom place, only referenced by the imported configuration. You may want to check out e.g. https://802.1x-config.org or if you are member of the eduroam roaming consortium https://cat.eduroam.org. Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 2, avenue de l'Université L-4365 Esch-sur-Alzette Tel: +352 424409 1 Fax: +352 422473 PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
And here is the screenshot, unless it gets scraped. Am 10.02.2016 um 01:39 schrieb John Teasley:
Hello,
I wanted to post what I had to do in order to get NetworkManager EAP-TLS connections to work. I am hoping that someone can tell me if I am wrong or, if the issue is NetworkManager.
1. eapol_test works fine. 2. Direct wpa_supplicant config works fine. 3. Unless importing the radiusd CA into the client, a unknown CA error is thrown. Now, I dont like the idea of doing the below; however, it was the only way on fc22 with the versions stated above to get connected via NetworkManager.
AS root : > cp /home/user/CERTS/radius_ca.pem /etc/pki/ca-trust/source/anchors/ >update-ca-trust
5. Connections to EAP-TLS via NetworkManager now work. 6. PROBLEM, I don't want a private CA set globally. A vpn connection does not do this when using private CA. Also, wpa_supplicant works with out the CA being imported into the global store.
7. I REALLY DONT LIKE THE SELF SIGNED / PRIVATE CA GLOBALLY.
Does anyone see any obvious mistakes in what a described above?
Ollie Teasley Linux Administrator ISMELL.SHOES, LLC - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 2, avenue de l'Université L-4365 Esch-sur-Alzette Tel: +352 424409 1 Fax: +352 422473 PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
On 9 Feb 2016, at 23:14, Stefan Winter <stefan.winter@restena.lu> wrote:
And here is the screenshot, unless it gets scraped.
PNGs and SVGs are allowed. Wouldn't mind a copy of the original email so I can figure out why the signature appears invalid. Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
Hello, Yes I know I can point it to the CA. The issue is that its is still using the global certs. This is not how it used to work. Either way, its not a radius issue. I did see on a forum something related to this. The big thing would be to see if you have the same versions that I listed in the start of the thread. EAP-TLS work for you via NetworkManager? Ollie Teasley Linux Administrator ISMELL.SHOES, LLC On Wed, Feb 10, 2016 at 1:25 AM, Arran Cudbard-Bell < a.cudbardb@freeradius.org> wrote:
On 9 Feb 2016, at 23:14, Stefan Winter <stefan.winter@restena.lu> wrote:
And here is the screenshot, unless it gets scraped.
PNGs and SVGs are allowed. Wouldn't mind a copy of the original email so I can figure out why the signature appears invalid.
Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
Yes I know I can point it to the CA. The issue is that its is still using the global certs. This is not how it used to work. Either way, its not a radius issue. I did see on a forum something related to this. The big thing would be to see if you have the same versions that I listed in the start of the thread.
I'm using NetworkManager 1.0.6 on an openSUSE Leap 42.1 with KDE5's "Plasma NM" applet.
EAP-TLS work for you via NetworkManager?
I use EAP-TLS only on my Mac, so can't say if ait actually *works* on this distro. Earlier versions of KNetworkManager and Plasma NM ill-advisedly defaulted to "Use System CA store". It took me and others quite a fight in the bug tracking system to convince people that this is nonsense and that this option a) shouldn't exist in the first place, but b) should default to off if they really think they need to present this option. That seems to have worked, as the UI currently does not present that option. BTW, you didn't tell us which UI *you* are using in front of NM? Greetings, Stefan Winter
Ollie Teasley Linux Administrator ISMELL.SHOES, LLC
On Wed, Feb 10, 2016 at 1:25 AM, Arran Cudbard-Bell < a.cudbardb@freeradius.org> wrote:
On 9 Feb 2016, at 23:14, Stefan Winter <stefan.winter@restena.lu> wrote:
And here is the screenshot, unless it gets scraped.
PNGs and SVGs are allowed. Wouldn't mind a copy of the original email so I can figure out why the signature appears invalid.
Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 2, avenue de l'Université L-4365 Esch-sur-Alzette Tel: +352 424409 1 Fax: +352 422473 PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
participants (4)
-
Arran Cudbard-Bell -
John Teasley -
Matthew Newton -
Stefan Winter