I'm having a similar issue to the one described here: http://freeradius.1045715.n5.nabble.com/PEAP-TTLS-and-Client-certificates-td... Currently, I can auth with just a signed cert, or just username/password I would like to enforce both, but I have been unable to determine the correct keywords/config after reading many forum posts, in addition to the comments provided in the default configuration I have attempted to add this config line to enforce signed certs in sites-available/default: EAP-TLS-Require-Client-Cert = yes This causes freeradius not to start for me though, and I'm pretty certain I have tried putting that in each block present in the file As for requiring user/password auth, I have tried: DEFAULT EAP-Type == EAP-Type-TLS, Auth-Type := Reject Which causes freeradius to fail to load DEFAULT EAP-Type == EAP-TLS, Auth-Type := Reject Which still allows EAP-TLS only DEFAULT EAP-Type != PEAP, Auth-Type := Reject Which still allows EAP-TLS only as well Please advise Thanks in advance, -Pete
On Sep 23, 2016, at 3:20 PM, Peter Lesko <plesko@blispay.com> wrote:
I'm having a similar issue to the one described here: http://freeradius.1045715.n5.nabble.com/PEAP-TTLS-and-Client-certificates-td...
Currently, I can auth with just a signed cert, or just username/password
I would like to enforce both, but I have been unable to determine the correct keywords/config after reading many forum posts, in addition to the comments provided in the default configuration
OK...
I have attempted to add this config line to enforce signed certs in sites-available/default: EAP-TLS-Require-Client-Cert = yes
This causes freeradius not to start for me though,
The server produces an error message when run in debug mode. Are you reading it? Or, maybe you're not even using debug mode. Why not?
and I'm pretty certain I have tried putting that in each block present in the file
Don't "try hard". Follow the documentation and examples. You CANNOT just put that text into the default virtual server, and expect it to work. The format of that file is documented. Please read "man unlang".
As for requiring user/password auth, I have tried:
DEFAULT EAP-Type == EAP-Type-TLS, Auth-Type := Reject Which causes freeradius to fail to load
It may be useful to read the error message it produces.
DEFAULT EAP-Type == EAP-TLS, Auth-Type := Reject Which still allows EAP-TLS only
DEFAULT EAP-Type != PEAP, Auth-Type := Reject Which still allows EAP-TLS only as well
Please advise
Read the documentation and examples to see how the server works. Don't invent your own syntax. In the "authorize" section, add: update control { EAP-TLS-Require-Client-Cert = yes } Alan DeKok.
On Fri, Sep 23, 2016 at 07:20:29PM +0000, Peter Lesko wrote:
I'm having a similar issue to the one described here: http://freeradius.1045715.n5.nabble.com/PEAP-TTLS-and-Client-certificates-td...
Currently, I can auth with just a signed cert, or just username/password
I would like to enforce both, but I have been unable to determine the correct keywords/config after reading many forum posts, in addition to the comments provided in the default configuration
Just check your client's supplicant capabilities first. Many can't do this at all. For example I am not aware of any version of Windows where this will work. One or the other, yes. Both, no. Matthew -- Matthew Newton, Ph.D. <mcn4@leicester.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
I have thrown away that environment because it was debian using 2.x, which is apparently not recommended for new deployments I have set up ubuntu running 3.0.11 instead, and I have generated certs using my own CA, along with make server make client If I use eapol_test with these certs, I can successfully auth with PEAP, TLS configurations, but when I try to import the client .crt in apple configurator 2, or the .p12, I am unable to authenticate using PEAP, TLS, or TTLS with my macbook running OS X 10.11 through my WAP after generating a pfx with: openssl pkcs12 -export -out client.pfx -inkey client.key -in client.pem -certfile ca.crt I am unable to select client.pem or client.crt as a client certificate in my configuration for TLS. The error I get running /usr/sbin/freeradius -fxx -l stdout for this connection appears to indicate I don't have a good cert: (9) Found Auth-Type = eap (9) # Executing group from file /etc/freeradius/sites-enabled/default (9) authenticate { (9) eap: Expiring EAP session with state 0xe86272eeeb667f10 (9) eap: Finished EAP session with state 0xe86272eeeb667f10 (9) eap: Previous EAP request found for state 0xe86272eeeb667f10, released from the list (9) eap: Peer sent packet with method EAP TLS (13) (9) eap: Calling submodule eap_tls to process data (9) eap_tls: Continuing EAP-TLS (9) eap_tls: Peer indicated complete TLS record size will be 7 bytes (9) eap_tls: Got complete TLS record (7 bytes) (9) eap_tls: [eaptls verify] = length included (9) eap_tls: <<< recv TLS 1.0 Alert [length 0002], warning close_notify (9) eap_tls: ERROR: TLS_accept: Failed in SSLv3 read client certificate A (9) eap_tls: ERROR: SSL says: error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure (9) eap_tls: ERROR: SSL_read failed in a system call (-1), TLS session failed (9) eap_tls: ERROR: TLS receive handshake failed during operation (9) eap_tls: ERROR: [eaptls process] = fail (9) eap: ERROR: Failed continuing EAP TLS (13) session. EAP sub-module failed (9) eap: Sending EAP Failure (code 4) ID 4 length 4 (9) eap: Failed in EAP select (9) [eap] = invalid (9) } # authenticate = invalid (9) Failed to authenticate the user (9) Using Post-Auth-Type Reject On Sun, Sep 25, 2016 at 7:46 PM Matthew Newton <mcn4@leicester.ac.uk> wrote:
On Fri, Sep 23, 2016 at 07:20:29PM +0000, Peter Lesko wrote:
I'm having a similar issue to the one described here:
http://freeradius.1045715.n5.nabble.com/PEAP-TTLS-and-Client-certificates-td...
Currently, I can auth with just a signed cert, or just username/password
I would like to enforce both, but I have been unable to determine the correct keywords/config after reading many forum posts, in addition to
the
comments provided in the default configuration
Just check your client's supplicant capabilities first.
Many can't do this at all. For example I am not aware of any version of Windows where this will work. One or the other, yes. Both, no.
Matthew
-- Matthew Newton, Ph.D. <mcn4@leicester.ac.uk>
Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Not a freeradius issue. Client issue. You will need to ensure that the mac had the CA root and any intermediates required installed. The .mobileconfig can be populated with these requirements. pkcs12 and pem are 'mac-friendliest' alan
I'm not sure why I wasn't able to get the p12 certs to work the first time. I switched to EAP-TTLS and MSCHAPv2 and was able to get everything configured as expected Thanks so much for your help Alan, Matthew, and Alan! -Pete On Tue, Sep 27, 2016 at 1:23 PM Alan Buxey <A.L.M.Buxey@lboro.ac.uk> wrote:
Not a freeradius issue. Client issue. You will need to ensure that the mac had the CA root and any intermediates required installed. The .mobileconfig can be populated with these requirements.
pkcs12 and pem are 'mac-friendliest'
alan
participants (4)
-
Alan Buxey -
Alan DeKok -
Matthew Newton -
Peter Lesko