Freeradius 3 self signed certificate
Hi, I'm trying to setup Freeradius 3.0.4 under CentOS 7 with TTLS-EAP and MSCHAPv2. My first tests with using LDAP in the back and the defaultly installed server certificate were successful. There won't be any authentication via client certificate. It's all about the server certificate for the TLS encryption. There is a self signed certificate which I would like install in the server. Now I'm somewhat struggling with the server side configuration. Why do I want these cnf files in the certs directory? Honestly I expected to just place the certificate/key files there, link them in the config and be done. I found some documents in the internet saying that this server certificate need extended key usage attributes (1.3.6.1.5.5.7.3.1). Is that right? The certificate is actually issued from a subCA. What do I have to consider when installing the cert, key and cacert in the FreeRadius server? Does the ca certificate need to be concatenated from the rootCA and also the subCA? What do I need to consider when it comes to installing the cacert to the clients (iOS, Android, Windows 7+, Linux, OS X). Does the certificate be a catted cert from the rootca cert and the subca cert? I there anything else I need to consider? We're using TinyCA 0.7.5. Thank you list -- Peakwork Signature *Jochen Demmer* Network Administrator T: +49-(0)241-4131146-29 jochen.demmer@peakwork.com peakwork AG | Sonnenweg 15 a | D-52070 Aachen | T: +49-(0)241-4131146-29 | F: +49-(0)241-4131146-17 peakwork AG (Headquarter) | Flinger Str. 36 | D-40213 Düsseldorf | T: +49-(0)211-91368-500 | F: +49-(0)211-91368-509 Executive board: Ralf Usbeck (chairman) | Markus Pfau | Michael Schmidt | Dr. Thomas van Kaldenkerken Chairman of the supervisory board: Markus Voelkel Company register: Amtsgericht Düsseldorf HRB 71223 | VAT ID.: DE264960677 Peakwork Logo www.peakwork.com | www.peakwork.de
There is a self signed certificate which I would like install in the server. Now I'm somewhat struggling with the server side configuration. Why do I want these cnf files in the certs directory? Honestly I expected to just place the certificate/key files there, link them in the config and be done. I found some documents in the internet saying that this server certificate need extended key usage attributes (1.3.6.1.5.5.7.3.1). Is that right?
The CNF files in the certs directory allow you to build self-signed certs for your FreeRADIUS infrastructure. There is a file in the directory that provides the extended key usage attributes (it's called xpextensions). Any cert generated from the CNF files in the certs directory will comply with Windows requirements. Of course, if you use something else (TinyCA), those CNF files don't apply...
What do I need to consider when it comes to installing the cacert to the clients (iOS, Android, Windows 7+, Linux, OS X). Does the certificate be a catted cert from the rootca cert and the subca cert?
AFAIK you need to provide a cert that contains the full chain, yes. With Regards Stefan Paetow Moonshot Industry & Research Liaison Coordinator t: +44 (0)1235 822 125 gpg: 0x3FCE5142 xmpp: stefanp@jabber.dev.ja.net skype: stefan.paetow.janet Lumen House, Library Avenue, Harwell Oxford, Didcot, OX11 0SG jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Collections and Janet Ltd. is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under Company No. number 2881024, VAT No. GB 197 0632 86. The registered office is: Lumen House, Library Avenue, Harwell, Didcot, Oxfordshire, OX11 0SG. T 01235 822200.
Hi,
Why do I want these cnf files in the certs directory? Honestly I expected to just place the certificate/key files there, link them in the config and be done.
those files provide a good starting point if you want to use your own self-signed cert - they provide required CA configuration and extensions.
The certificate is actually issued from a subCA. What do I have to consider when installing the cert, key and cacert in the FreeRadius server? Does the ca certificate need to be concatenated from the rootCA and also the subCA?
on the server, you need to have the CA and any intermediates concatenated into one file and read via the certificate_file option (ONLY use the CA_file if doing EAP-TLS!!)
What do I need to consider when it comes to installing the cacert to the clients (iOS, Android, Windows 7+, Linux, OS X). Does the certificate be a catted cert from the rootca cert and the subca cert?
just the CA root....as the intermediate is being fed to it from the server. you could install the intermediates too if the OS supports that.
I there anything else I need to consider? We're using TinyCA 0.7.5.
yes, ensure the cert you generate for the server contains the required extensions and ensure that the CA you are using is correct/proper for 802.1X on modern OSes (this is also something that you will need to keep an eye on as the OS vendors are changing their rules...) - so ensure theres no MD5 at all - all SHA1 (256 or better!) , ensure the CA contraints are set, ensure theres an OSCP marker even thouhg its not used (thanks Windows Phone!) alan
On Jun 29, 2015, at 4:47 AM, Jochen Demmer <jochen.demmer@peakwork.com> wrote:
There is a self signed certificate which I would like install in the server. Now I'm somewhat struggling with the server side configuration. Why do I want these cnf files in the certs directory? Honestly I expected to just place the certificate/key files there, link them in the config and be done.
If you don't want the server to ship with example configuration files, you're free to delete them all after you install it. Then, good luck figuring out how anything works.
I found some documents in the internet saying that this server certificate need extended key usage attributes (1.3.6.1.5.5.7.3.1). Is that right?
How about reading the README file in the "certs" directory? This is all documented.
The certificate is actually issued from a subCA. What do I have to consider when installing the cert, key and cacert in the FreeRadius server? Does the ca certificate need to be concatenated from the rootCA and also the subCA?
This is all documented in eap.conf (v2) or raddb/mods-available/eap (v3).
What do I need to consider when it comes to installing the cacert to the clients (iOS, Android, Windows 7+, Linux, OS X). Does the certificate be a catted cert from the rootca cert and the subca cert?
The client needs the CA. Just like a web browser needs a CA. Again, this is all documented. Alan DeKok.
Hello,
The certificate is actually issued from a subCA. What do I have to consider when installing the cert, key and cacert in the FreeRadius server? Does the ca certificate need to be concatenated from the rootCA and also the subCA? What do I need to consider when it comes to installing the cacert to the clients (iOS, Android, Windows 7+, Linux, OS X). Does the certificate be a catted cert from the rootca cert and the subca cert? I there anything else I need to consider? We're using TinyCA 0.7.5.
For client-side setup, you should give the last section of http://freeradius.org/enterprise-wifi.html a read. This is linked from the start page! https://802.1x-config.org is free and easy. Regarding intermediates, you either need to send them during the EAP conversation (server sends every time) or you need to install them together with the root CA cert on the clients. The latter option will leave all BYOD devices which don't get your config with a broken chain, so that's usually not recommended. Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
participants (5)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Jochen Demmer -
Stefan Paetow -
Stefan Winter