Microsoft PEAP-EAP-TLS support (certificate auth with SoH)?
Hi, Does anyone know if FreeRADIUS now supports Microsoft PEAP/EAP-TLS, i.e. when you select PEAP with Certificates in Windows (not plain EAP-TLS, or PEAP/MS-CHAPv2, which both work fine)? This post from 2007 (and FR 1.0.1) indicates that it didn't work then, wondered if that's changed at all? https://lists.freeradius.org/pipermail/freeradius-users/2007-April/msg00841.... For the reasons in that e-mail, I similarly don't care about using it for auth, as EAP-TLS works fine. However, from the SoH documentation, it needs either PEAP or DHCP to work. I haven't ruled out DHCP yet, but it seems a lot tidier to do it in RADIUS if possible, which in turn just leaves PEAP. The 'normal' PEAP with MS-CHAPv2 works fine giving the SoH details, but has to be "user authentication" on the client. EAP-TLS works fine presenting the certificate to connect to the network (Microsoft's so-called "computer auth"), but doesn't, as far as I can tell, do SoH. Is it actually possible to do SoH with certificate-based authentication, or do I have to look towards DHCP for this? I'm using a very custom config at the moment (on the latest v2.1.x branch), and having tried all sorts can't get it to play. I'll probably try working from the default config later just in case I've missed something blindingly obvious, but if anyone could confirm if the above post is still true or there is no other way to do it then it will save me a lot of time trying! :) Cheers, Matthew (Wishing Microsoft would bother to support a few additional options in their built-in supplicant, rather than just the couple of odd combinations that they want.) -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
Matthew Newton wrote:
Does anyone know if FreeRADIUS now supports Microsoft PEAP/EAP-TLS, i.e. when you select PEAP with Certificates in Windows (not plain EAP-TLS, or PEAP/MS-CHAPv2, which both work fine)? This post from 2007 (and FR 1.0.1) indicates that it didn't work then, wondered if that's changed at all?
It might work. I recall doing some testing a while ago. It's not a widely used feature. You'll need to set up *two* instances of the EAP module. One for the outer PEAP session, and a separate one for the inner EAP.
Is it actually possible to do SoH with certificate-based authentication, or do I have to look towards DHCP for this?
No idea. Ask Microsoft how their software works. Alan DeKok.
On 01/20/2012 01:08 AM, Matthew Newton wrote:
The 'normal' PEAP with MS-CHAPv2 works fine giving the SoH details, but has to be "user authentication" on the client. EAP-TLS works fine presenting the certificate to connect to the network (Microsoft's so-called "computer auth"), but doesn't, as far as I can tell, do SoH.
Correct.
Is it actually possible to do SoH with certificate-based authentication, or do I have to look towards DHCP for this?
SoH is a PEAP TLV. If the PEAP module is running, it should support SoH regardless of the type of inner-auth.
Hi, It's working! On Fri, Jan 20, 2012 at 08:28:49AM +0100, Alan DeKok wrote:
Matthew Newton wrote:
Does anyone know if FreeRADIUS now supports Microsoft PEAP/EAP-TLS, i.e. when you select PEAP with Certificates in
It's not a widely used feature.
Obviously :-) SoH is the only reasonably sane(?) reason I can think of for doing EAP-TLS inside PEAP.
You'll need to set up *two* instances of the EAP module. One for the outer PEAP session, and a separate one for the inner EAP.
Gotcha - thanks. That wasn't the only thing, but without doing that it wasn't possible for it to work. Reasoning: Ultimately, the problem was down to the fact that fragment_size in the inner TLS (EAP-TLS) must be smaller than that of the outer (TLS for PEAP). With two different instances of eap, and a difference of about 50 bytes between the inner and outer fragment sizes, it all works. I've currently set the inner to the default of 1024, and the outer to 1200. Apart from the tls fragment size, the rest of the eap configuration can be literally identical. Won't do that as it's very untidy, but it does work. On Fri, Jan 20, 2012 at 10:50:28AM +0000, Phil Mayers wrote:
On 01/20/2012 01:08 AM, Matthew Newton wrote:
Is it actually possible to do SoH with certificate-based authentication, or do I have to look towards DHCP for this?
SoH is a PEAP TLV. If the PEAP module is running, it should support SoH regardless of the type of inner-auth.
Yes, thanks - it's working fine. So I now have a stack of cards that resembles: PEAP (TLS comes up using main "eap" instantiation) SoH (happens over PEAP, calls "soh-server" virtual server) PEAP calls "inner-tunnel" virtual server -> EAP-TLS (uses secondary "innereap" instantiation of eap) -> OCSP (checks inner certificate) For reference, setting EAP-TLS-Require-Client-Cert = Yes just breaks things, as the client refuses to send a certificate at the PEAP stage. Thanks for the help! Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
participants (3)
-
Alan DeKok -
Matthew Newton -
Phil Mayers