RES: Re: RES: Re: PEAP/EAP-TLS with client and server certificate
Marcelo Augusto Rodrigues Pimentel wrote:
OK. But I?m trying to use peap to make an encrypted tunnel validating the server certificate and then I want to authenticate the clients whith EAP-TLS using client/server certificate. The TLS tunnel is working fine, but the second part of EAP-TLS authentication not.
What second part of EAP-TLS? The server supports authenticating via client certificates, and nothing else.
I said two parts, because those parts of my configuration uses TLS: The first part is making the encrypt tunnel using PEAP --> Only validates server certificate to create the tunnel. The second part is the authenticathion inner the tunnel with EAP-TLS --> Mutual validation of client and server certificate. This configuration is like Geroge Ou said below: ... PEAP-EAP-TLS is an improved version of the original EAP-TLS protocol that goes further to encrypt client digital certificate information. Both PEAP-EAP-TLS and EAP-TLS have the same server and client side digital certificate requirements. ... Reference: Wireless LAN security guide --> Level 3: Medium to large Enterprise WLAN security" http://www.lanarchitect.net/Articles/Wireless/SecurityRating/ Thank´s !
So .... in the peap section in the eap.conf, what I?ve to configure for default eap type? Is tls ?
No. You can leave it alone. It's fine.
If I configure tls, I?ve to create a tls section in the peap section or the tls section of the eap.conf is enough. I?ve attached my eap.conf file.
If you want to use just TLS, you don't need the PEAP section. If you want to use PEAP, you need the TLS section. The comments in the "eap.conf" file explain this.
"Mensagem protegida por sigilo profissional. Sua utilização indevida sujeita o infrator às penas da lei. Não sendo seu destinatário, por favor, elimine-a e informe o equívoco ao emitente." "This e-mail message and any attachment are intended exclusively for the named addressee. They may contain confidential information which may also be protected by professional secrecy. Unless you are the named addressee (or authorised to receive for the addressee) you may not copy or use this message or any attachment or disclose the contents to anyone else. If this e-mail was sent to you by mistake please notify the sender immediately and delete this e-mail."
Marcelo Augusto Rodrigues Pimentel wrote:
I said two parts, because those parts of my configuration uses TLS:
The first part is making the encrypt tunnel using PEAP --> Only validates server certificate to create the tunnel.
The second part is the authenticathion inner the tunnel with EAP-TLS --> Mutual validation of client and server certificate.
FreeRADIUS doesn't support EAP-TLS inside of PEAP. It's also unnecessary. PEAP can have client certificates, and therefore doesn't need an inner TLS stage for client certificates.
This configuration is like Geroge Ou said below:
Which isn't supported in FreeRADIUS. If you tried using it on the client side, and running the server in debugging mode, the server would tell you it isn't supported. I'm not even sure that the Windows supplicant supports it. If you want the server to support it, there are a number of options open to you. Send in patches, or fund someone to write the patches. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
On Apr 24, 2007, at 7:30 PM, Alan DeKok wrote:
Which isn't supported in FreeRADIUS. If you tried using it on the client side, and running the server in debugging mode, the server would tell you it isn't supported. I'm not even sure that the Windows supplicant supports it.
It *is* supported by the Windows supplicant, and I'm pretty sure it wouldn't be that difficult to enable support in FR (removing one or two lines, IIRC). EAP-TLS inside of PEAP allows for the inner ("real") identity exchange to be obfuscated inside the tunnel since the outer identity doesn't have to match the inner identity. I've never used the PEAP-EAP-TLS functionality before myself in Windows, but if its anything like the PEAP-EAP-MSCHAPv2 support, this argument doesn't really mean anything since the inner and outer identities are both set to the real identity in the Windows supplicant... --Mike
Michael Griego wrote:
It *is* supported by the Windows supplicant, and I'm pretty sure it wouldn't be that difficult to enable support in FR (removing one or two lines, IIRC).
I tried doing that a while ago. The immediate issue seemed to be that once the outer TLS tunnel was set up, the inner tunnel was negotiated... sort of. The inner tunnel got to the point where the client was sending a TLS "ack", asking for more data from the server. The problem was that it *wasn't* sending a TLS ack inside of the tunnel. Instead, it sent an empty TLS ack on the *outside* of the tunnel. This confused the code, as it believed that the outer tunnel was already set up, and it didn't know why the heck the client was asking for more data. So... to fix that requires more testing, and more code.
EAP-TLS inside of PEAP allows for the inner ("real") identity exchange to be obfuscated inside the tunnel since the outer identity doesn't have to match the inner identity. I've never used the PEAP-EAP-TLS functionality before myself in Windows, but if its anything like the PEAP-EAP-MSCHAPv2 support, this argument doesn't really mean anything since the inner and outer identities are both set to the real identity in the Windows supplicant...
Yup. I would prefer to use EAP-TTLS instead. It provides for differing inner/outer identities, and is a whole lot easier to deal with. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
Hello list Have anybody of you manage to configure freeradius to pull authorization iformation from MySQL and MSSQL (via ODBC/freetds) at the same time?? I have presently a working configuration Freeradius + Mysql + passwd + userfiles + NIS (via PAM) And I'm actually able to do Freeradius + MSSQL + passwd + userfiles + NIS (via PAM) But I'm not able to do all of them at the same time Freeradius + MSSQL + Mysql + passwd + userfiles + NIS (via PAM) Only switching lines in the radius.conf file #$INCLUDE ${confdir}/sql.conf #$INCLUDE ${confdir}/mssql.conf But, is there a way to configure a failover to ask MSSQL and then MySQL and have both modules running at the same time?? Thank in advance list users, any help will be appreciated!
info@mazone.info wrote:
Have anybody of you manage to configure freeradius to pull authorization iformation from MySQL and MSSQL (via ODBC/freetds) at the same time??
Have you listed two instances of the SQL module? See doc/configurable_failover for examples.
But, is there a way to configure a failover to ask MSSQL and then MySQL and have both modules running at the same time??
Yes. Configure the modules as: sql mssql { ... configuration ... } sql mysql { ... configuration ... } And then refer to them as "mssql" or "mysql", and never "sql". Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
Thanks a lot, my erroe was thay I was still using "sql" for mysql as soon as I define mysql and mssql separetely it worked, now I have mssql + mysql + userfiles + password + NIS all 5 methods working at the same time Thanks a lot! -----Mensaje original----- De: freeradius-users-bounces+info=mazone.info@lists.freeradius.org [mailto:freeradius-users-bounces+info=mazone.info@lists.freeradius.org] En nombre de Alan DeKok Enviado el: Miércoles, 25 de Abril de 2007 02:40 a.m. Para: FreeRadius users mailing list Asunto: Re: MySQL & MSSQL info@mazone.info wrote:
Have anybody of you manage to configure freeradius to pull authorization iformation from MySQL and MSSQL (via ODBC/freetds) at the same time??
Have you listed two instances of the SQL module? See doc/configurable_failover for examples.
But, is there a way to configure a failover to ask MSSQL and then MySQL and have both modules running at the same time??
Yes. Configure the modules as: sql mssql { ... configuration ... } sql mysql { ... configuration ... } And then refer to them as "mssql" or "mysql", and never "sql". Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (4)
-
Alan DeKok -
info@mazone.info -
Marcelo Augusto Rodrigues Pimentel -
Michael Griego