clarification on eap configuration files and certificates
hi all, I have some doubts about eap module configuration file. In my organization we use a public CA for radius server certificates. The freeradius version is 3.0.12 from debian stable repository. What's the difference between: 1) setting only the server certificate in "certificate_file" and using "ca_file" to indicate the certificate of authority that issued "certificate_file" OR 2) set in "certificate_file" not only the server certificate, but also all of the CA certificates used to sign the server certificate and comment "ca_file" (this is my current configuration) I ask you this question because the ultimate goal is to deny use of EAP-TLS and allow only PEAP. I have read various posts with different solutions and I am a bit confused. Thank you! Marco -- **************************************** Marco Santantonio Direzione Sistemi Informativi, Portale, E-learning Sezione Fonia, VoIP e WiFi www.unito.it ****************************************
On Jun 19, 2019, at 9:04 AM, Marco Santantonio <marco.santantonio@unito.it> wrote:
I have some doubts about eap module configuration file.
In my organization we use a public CA for radius server certificates. The freeradius version is 3.0.12 from debian stable repository.
You should really upgrade. There are packages available on http://packages.networkradius.com
What's the difference between: 1) setting only the server certificate in "certificate_file" and using "ca_file" to indicate the certificate of authority that issued "certificate_file" OR 2) set in "certificate_file" not only the server certificate, but also all of the CA certificates used to sign the server certificate and comment "ca_file" (this is my current configuration)
There is no real difference. The certificates will work. We allow multiple configurations because sometimes people need *more* functionality. i.e. they can put multiple CAs into "ca_file". And then issue EAP-TLS client certificates from those CAs.
I ask you this question because the ultimate goal is to deny use of EAP-TLS and allow only PEAP.
Remove the "tls { ... }" section from mods-available/eap. EAP-TLS will stop working.
I have read various posts with different solutions and I am a bit confused.
The comments in the configuration files aren't perfect, but they're not terrible. You should believe the config files over random third-party web sites. Alan DeKok.
many thanks Alan! Il giorno mer 19 giu 2019 alle ore 15:22 Alan DeKok < aland@deployingradius.com> ha scritto:
On Jun 19, 2019, at 9:04 AM, Marco Santantonio <marco.santantonio@unito.it> wrote:
I have some doubts about eap module configuration file.
In my organization we use a public CA for radius server certificates. The freeradius version is 3.0.12 from debian stable repository.
You should really upgrade. There are packages available on http://packages.networkradius.com
What's the difference between: 1) setting only the server certificate in "certificate_file" and using "ca_file" to indicate the certificate of authority that issued "certificate_file" OR 2) set in "certificate_file" not only the server certificate, but also all of the CA certificates used to sign the server certificate and comment "ca_file" (this is my current configuration)
There is no real difference. The certificates will work.
We allow multiple configurations because sometimes people need *more* functionality. i.e. they can put multiple CAs into "ca_file". And then issue EAP-TLS client certificates from those CAs.
I ask you this question because the ultimate goal is to deny use of EAP-TLS and allow only PEAP.
Remove the "tls { ... }" section from mods-available/eap. EAP-TLS will stop working.
I have read various posts with different solutions and I am a bit confused.
The comments in the configuration files aren't perfect, but they're not terrible. You should believe the config files over random third-party web sites.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- **************************************** Marco Santantonio Direzione Sistemi Informativi, Portale, E-learning Sezione Fonia, VoIP e WiFi www.unito.it ****************************************
Hi all, I have one last doubt on the subject. As I said, we use certificates issued by a public CA (Digicert). In the certificates chain that I insert in the certificate_file should i also enter the root CA or, being this public and recognized, do I expect the clients to know it already? Does leaving the CA root in the chain not increase packet exchange with probable longer round-trip times and therefore slower authentications? Many thanks! Marco Il giorno mer 19 giu 2019 alle ore 15:39 Marco Santantonio < marco.santantonio@unito.it> ha scritto:
many thanks Alan!
Il giorno mer 19 giu 2019 alle ore 15:22 Alan DeKok < aland@deployingradius.com> ha scritto:
On Jun 19, 2019, at 9:04 AM, Marco Santantonio < marco.santantonio@unito.it> wrote:
I have some doubts about eap module configuration file.
In my organization we use a public CA for radius server certificates.
The
freeradius version is 3.0.12 from debian stable repository.
You should really upgrade. There are packages available on http://packages.networkradius.com
What's the difference between: 1) setting only the server certificate in "certificate_file" and using "ca_file" to indicate the certificate of authority that issued "certificate_file" OR 2) set in "certificate_file" not only the server certificate, but also all of the CA certificates used to sign the server certificate and comment "ca_file" (this is my current configuration)
There is no real difference. The certificates will work.
We allow multiple configurations because sometimes people need *more* functionality. i.e. they can put multiple CAs into "ca_file". And then issue EAP-TLS client certificates from those CAs.
I ask you this question because the ultimate goal is to deny use of EAP-TLS and allow only PEAP.
Remove the "tls { ... }" section from mods-available/eap. EAP-TLS will stop working.
I have read various posts with different solutions and I am a bit confused.
The comments in the configuration files aren't perfect, but they're not terrible. You should believe the config files over random third-party web sites.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- **************************************** Marco Santantonio Direzione Sistemi Informativi, Portale, E-learning Sezione Fonia, VoIP e WiFi www.unito.it ****************************************
-- **************************************** Marco Santantonio Direzione Sistemi Informativi, Portale, E-learning Sezione Fonia, VoIP e WiFi www.unito.it ****************************************
On Jun 20, 2019, at 5:06 AM, Marco Santantonio <marco.santantonio@unito.it> wrote:
I have one last doubt on the subject. As I said, we use certificates issued by a public CA (Digicert). In the certificates chain that I insert in the certificate_file should i also enter the root CA or, being this public and recognized, do I expect the clients to know it already?
The clients should already know the root CA. It may work if you don't put the root CA into the certificate_file.
Does leaving the CA root in the chain not increase packet exchange with probable longer round-trip times and therefore slower authentications?
Leaving the root CA in the chain will likely add one more packet exchange. It may slow down authentication slightly. But in practice, this isn't much of an issue. If you enable fast session resumption, then 99% of authentications will use that, and will bypass the certificate exchange completely. And, leaving the root CA in there may help in some cases. I usually recommend being safe. Leave the root CA there, and enable fast session resumption. Alan DeKok.
ok, many thanks for your support! Marco Il giorno gio 20 giu 2019 alle ore 13:04 Alan DeKok < aland@deployingradius.com> ha scritto:
On Jun 20, 2019, at 5:06 AM, Marco Santantonio <marco.santantonio@unito.it> wrote:
I have one last doubt on the subject. As I said, we use certificates
issued
by a public CA (Digicert). In the certificates chain that I insert in the certificate_file should i also enter the root CA or, being this public and recognized, do I expect the clients to know it already?
The clients should already know the root CA. It may work if you don't put the root CA into the certificate_file.
Does leaving the CA root in the chain not increase packet exchange with probable longer round-trip times and therefore slower authentications?
Leaving the root CA in the chain will likely add one more packet exchange. It may slow down authentication slightly. But in practice, this isn't much of an issue.
If you enable fast session resumption, then 99% of authentications will use that, and will bypass the certificate exchange completely. And, leaving the root CA in there may help in some cases.
I usually recommend being safe. Leave the root CA there, and enable fast session resumption.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- **************************************** Marco Santantonio Direzione Sistemi Informativi, Portale, E-learning Sezione Fonia, VoIP e WiFi www.unito.it ****************************************
participants (2)
-
Alan DeKok -
Marco Santantonio