A few questions about radsec
Hello, I successfully configured freeradius server to support radsec and using radsecproxy to test it. But I have a few questions. I tried to find answers in the example configuration files, but it looks like there aren’t Why "Initial implementation" https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/raddb/sites-avai... something important is not supported yet? If I understand radsec rfc correctly there are 3 possible ways to identify clients https://tools.ietf.org/html/draft-ietf-radext-radsec-12#section-2.4 by rfc all 3 should use some part of client certificate or TLS identifier. But judging by configuration in `tls` file I assume that freeradius uses ip address + certificate. Or only ip address if `proto = tcp` https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/raddb/sites-avai... Am I right? It is very unlikely, but what if I will have to, or I will want to proxy radsec request to home server without client certificate (TLS-PSK). I should removed only secret value from configuration https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/raddb/sites-avai... ? To test radsec I used radsecproxy + radlclient/eapol_test. Is there any other worthy utility for this? This is the quote from RFC Introduction https://tools.ietf.org/html/draft-ietf-radext-radsec-12#section-1
The new features in RADIUS over TLS obsolete the use of IP addresses and shared MD5 secrets to identify other peers and thus allow the use of more contemporary trust models, e.g. checking a certificate by inspecting the issuer and other certificate properties.
I'm interested in radius clients identification. Is it possible to get radius client id in radius config section that support unlang? For example CN or fingerprint from radius client certificate, like its by done for EAP-TLS request. -- Vladimir
work vlpl <thework.vlpl@gmail.com> wrote:
Hello, I successfully configured freeradius server to support radsec and using radsecproxy to test it. But I have a few questions. I tried to find answers in the example configuration files, but it looks like there aren’t
Reading https://github.com/FreeRADIUS/freeradius-server/issues/2292 ...may provide you with some information about the status of some of the features you are interested in.
judging by configuration in `tls` file I assume that freeradius uses ip address + certificate.
FreeRADIUS lets you limit what source IP addresses you accept RadSec connections from, in addition to certifying them with PKI. If you want. I've never tried it, but you can probably use a wildcard client stanza with proto = tls.
It is very unlikely, but what if I will have to, or I will want to proxy radsec request to home server without client certificate (TLS-PSK). I should removed only secret value from configuration?
I think you may be confusing the "secret" with the PSK. The "secret" in all RadSec should be set to "radsec" because the "secret" is obsolete if you are using TLS. You need to be removing the cert-related directives and looking at the psk_query or psk_identity+psk_hexphrase directives. The comments in the sample config probably need some work. When you figure it out, send a patch! :-)
I'm interested in radius clients identification. Is it possible to get radius client id in radius config section that support unlang? For example CN or fingerprint from radius client certificate, like its by done for EAP-TLS request.
See the above github issue... support will vary depending on how close to the bleeding edge your server is.
On Feb 15, 2019, at 1:47 PM, work vlpl <thework.vlpl@gmail.com> wrote:
Why "Initial implementation" https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/raddb/sites-avai... something important is not supported yet?
It's fully supported. That text is just old and hadn't been updated.
If I understand radsec rfc correctly there are 3 possible ways to identify clients https://tools.ietf.org/html/draft-ietf-radext-radsec-12#section-2.4 by
See RFC 6615 for the final revision of the standard.
rfc all 3 should use some part of client certificate or TLS identifier. But judging by configuration in `tls` file I assume that freeradius uses ip address + certificate.
It can use both. Note that there is *no problem* with doing source IP filtering. In fact, you likely want to do that, even for RadSec. The alternative is to have random people hammer your RADIUS server with connection attempts.
Or only ip address if `proto = tcp` https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/raddb/sites-avai... Am I right?
See RFC 6613 for a description of RADIUS over TCP. For that, FreeRADIUS uses the source IP, because there are no certificates available. Just like with normal RADIUS / UDP.
It is very unlikely, but what if I will have to, or I will want to proxy radsec request to home server without client certificate (TLS-PSK). I should removed only secret value from configuration https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/raddb/sites-avai... ?
No... the RFC says that the secret is always "radsec" for RadSec connections.
To test radsec I used radsecproxy + radlclient/eapol_test. Is there any other worthy utility for this?
radsecproxy is fine.
This is the quote from RFC Introduction https://tools.ietf.org/html/draft-ietf-radext-radsec-12#section-1
The new features in RADIUS over TLS obsolete the use of IP addresses and shared MD5 secrets to identify other peers and thus allow the use of more contemporary trust models, e.g. checking a certificate by inspecting the issuer and other certificate properties.
I'm interested in radius clients identification. Is it possible to get radius client id in radius config section that support unlang? For example CN or fingerprint from radius client certificate, like its by done for EAP-TLS request.
Yes. See the GitHub issue Brian pointed you to. I'll go update the documentation in the virtual server. Alan DeKok.
On Sat, 16 Feb 2019 at 03:33, Alan DeKok <aland@deployingradius.com> wrote:
I'm interested in radius clients identification. Is it possible to get radius client id in radius config section that support unlang? For example CN or fingerprint from radius client certificate, like its by done for EAP-TLS request.
Yes. See the GitHub issue Brian pointed you to. I'll go update the documentation in the virtual server.
Thank you for answers. I have one problem left - can't figure out how to access to %{listen:...} strings. In virtual site configuration that referenced in `tls` file I added these strings `` authorize { %{listen:TLS-Client-Cert-Common-Name} %{listen:TLS-Client-Cert-CN} %{listen:TLS-Client-Cert-Subject} %{listen:TLS-Client-Cert-Subject-Alt-Name-Dns} ... ``` In debug output I see this ``` Waking up in 29.4 seconds. (0) Application data status 7 (0) tls_recv: Access-Request packet from host 172.20.0.1 port 42601, id=1, length=118 Threads: total/active/spare threads = 5/0/5 Waking up in 0.3 seconds. Thread 4 got semaphore Thread 4 handling request 0, (1 handled so far) (0) Received Access-Request Id 1 from 172.20.0.1:42601 to 0.0.0.0:2083 length 118 (0) User-Name = "testing" (0) NAS-Identifier = "foo" (0) Called-Station-Id = "testid" (0) MS-CHAP-Challenge = 0x716a0175a2d80c7d (0) MS-CHAP-Response = 0x00010000000000000000000000000000000000000000000000005a24ab85f026fae15e930276c4129556fc5e9c355ec01735 (0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/testing-stie (0) authorize { (0) Listener does not contain config item "TLS-Client-Cert-Common-Name" (0) EXPAND %{listen:TLS-Client-Cert-Common-Name} (0) --> (0) Listener does not contain config item "TLS-Client-Cert-CN" (0) EXPAND %{listen:TLS-Client-Cert-CN} (0) --> (0) Listener does not contain config item "TLS-Client-Cert-Subject" (0) EXPAND %{listen:TLS-Client-Cert-Subject} (0) --> (0) Listener does not contain config item "TLS-Client-Cert-Subject-Alt-Name-Dns" (0) EXPAND %{listen:TLS-Client-Cert-Subject-Alt-Name-Dns} (0) --> ``` Certificate that is used by radsecproxy has values for CN `Subject: C = GB, ST = England, O = First CA, CN = radsecclient.local` What I do wrong?
On Feb 18, 2019, at 12:31 PM, work vlpl <thework.vlpl@gmail.com> wrote:
I have one problem left - can't figure out how to access to %{listen:...} strings.
They're just string expansions like anything else. But you will need to be running the code from GitHub (v3.0.x), because it's not in any release.
In virtual site configuration that referenced in `tls` file I added these strings
`` authorize { %{listen:TLS-Client-Cert-Common-Name} %{listen:TLS-Client-Cert-CN} %{listen:TLS-Client-Cert-Subject} %{listen:TLS-Client-Cert-Subject-Alt-Name-Dns}
I'm not sure what you expect that to do, even if the expansions worked there. Alan DeKok.
On Tue, 19 Feb 2019 at 02:47, Alan DeKok <aland@deployingradius.com> wrote:
They're just string expansions like anything else. But you will need to be running the code from GitHub (v3.0.x), because it's not in any release.
I am using the "latest" available version from github, currently it is `radiusd: FreeRADIUS Version 3.0.18 (git #3e6e385),` Maybe I need to pass some flag or configuration to compiler, to enable access to %{listen:...} strings ?
authorize { %{listen:TLS-Client-Cert-Common-Name} %{listen:TLS-Client-Cert-CN} %{listen:TLS-Client-Cert-Subject} %{listen:TLS-Client-Cert-Subject-Alt-Name-Dns}
I'm not sure what you expect that to do, even if the expansions worked there.
These 4 lines just for debug purposes, to see that strings values are "available" for unlang. I am planing/want to use CN or Subject Alt Name to identify radius clients. I am understand that %{listen:...} is a string expansion and not an attribute list, so I can't print in loop all values that available in %{listen:...}. Can I somehow print in debug mode all available values from %{listen:..} ?
Sorry, I found reason. In my config this option `require_client_cert = yes` was set to `no` `tls` file accidentally was copied from very old freeradius release Again, thank you for answers.
participants (3)
-
Alan DeKok -
Brian Julin -
work vlpl