Trusted CA, Signed Certs and Verification
Hello, I have been trying to use a Trusted CA to sign our freeradius server. The certificates are installed, the key, cert, the root chain all in their appropriate PEM files. The devices try to get the certificate that we specify; However, whenever we try to connect with an iOS device or Windows we get an error saying that the identity cannot be verified. I spoke with our SSL provider's support department, and they say this is normal behavior. There will always be a warning about identity not being able to be verified. Is this true? Am I missing something obvious? Sam Fakhreddine Site Systems Administrator
Sam Fakhreddine wrote:
The certificates are installed, the key, cert, the root chain all in their appropriate PEM files.
Where? In FreeRADIUS?
The devices try to get the certificate that we specify; However, whenever we try to connect with an iOS device or Windows we get an error saying that the identity cannot be verified.
The Root CAs have to be installed on the device.
Am I missing something obvious?
Please describe exactly what went where. Saying "certificates are installed" is a bit too vague. Alan DeKok.
What i mean is that they are in the certs directory and the eap config is setup to use. I have a PEM that contains server key, server crt, digicert root cert and the trusted root. Sent from my Windows Phone ________________________________ From: Alan DeKok<mailto:aland@deployingradius.com> Sent: 2014-04-03 7:11 PM To: FreeRadius users mailing list<mailto:freeradius-users@lists.freeradius.org> Subject: Re: Trusted CA, Signed Certs and Verification Sam Fakhreddine wrote:
The certificates are installed, the key, cert, the root chain all in their appropriate PEM files.
Where? In FreeRADIUS?
The devices try to get the certificate that we specify; However, whenever we try to connect with an iOS device or Windows we get an error saying that the identity cannot be verified.
The Root CAs have to be installed on the device.
Am I missing something obvious?
Please describe exactly what went where. Saying "certificates are installed" is a bit too vague. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Sam Fakhreddine wrote:
What i mean is that they are in the certs directory and the eap config is setup to use.
I have a PEM that contains server key, server crt, digicert root cert and the trusted root.
That's nice, but not enough. Are the proper certs on the devices, too? EAP and TLS are complicated. Configuring FreeRADIUS is just one part of the problem. Alan DeKok.
I have installed the Digicert certificate and the Trusted root certifcate on a windows device, and still get the error. Do we need to install the SSL server cert on every device? We were hoping that by signing it publicly we would not have our users go through that extra step. ________________________________________ From: freeradius-users-bounces+sam.fakhreddine=ledcor.com@lists.freeradius.org [freeradius-users-bounces+sam.fakhreddine=ledcor.com@lists.freeradius.org] on behalf of Alan DeKok [aland@deployingradius.com] Sent: Thursday, April 03, 2014 8:03 PM To: FreeRadius users mailing list Subject: Re: Trusted CA, Signed Certs and Verification Sam Fakhreddine wrote:
What i mean is that they are in the certs directory and the eap config is setup to use.
I have a PEM that contains server key, server crt, digicert root cert and the trusted root.
That's nice, but not enough. Are the proper certs on the devices, too? EAP and TLS are complicated. Configuring FreeRADIUS is just one part of the problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 03/04/14 23:59, Sam Fakhreddine wrote:
Hello,
I have been trying to use a Trusted CA to sign our freeradius server.
The certificates are installed, the key, cert, the root chain all in their appropriate PEM files.
The devices try to get the certificate that we specify; However, whenever we try to connect with an iOS device or Windows we get an error saying that the identity cannot be verified.et
Do you get an error, or a prompt to trust the root for that connection? If you get an error, you've done something wrong. Either not installed the root at the client correctly, or not served the server and all intermediate certs from FreeRADIUS. I guess it's also possible the server cert is not valid wireless i.e. lacks the magic OIDs. See here: http://wiki.freeradius.org/config/Certificates If you get a prompt to trust the root, that's normal and can only be worked around by further telling the client in advance that the specific root is trusted for the specific connection.
On windows machines we get a prompt saying that "Windows Cannot Verify the server's identity". On iOS when you view the certificate it says: "Not Verified" This is confusing because we use a global CA Root (Digicert) that *is* already installed on all devices. Is the prompt normal even when using a Global CA Root that is installed on devices? Sam Fakhreddine p 780-395-5455 |-----Original Message----- |From: freeradius-users-bounces+sam.fakhreddine=ledcor.com@lists.freeradius.org |[mailto:freeradius-users- |bounces+sam.fakhreddine=ledcor.com@lists.freeradius.org] On Behalf Of Phil |Mayers |Sent: Friday, April 04, 2014 1:38 AM |To: freeradius-users@lists.freeradius.org |Subject: Re: Trusted CA, Signed Certs and Verification | |On 03/04/14 23:59, Sam Fakhreddine wrote: |> Hello, |> |> I have been trying to use a Trusted CA to sign our freeradius server. |> |> The certificates are installed, the key, cert, the root chain all in |> their appropriate PEM files. |> |> The devices try to get the certificate that we specify; However, |> whenever we try to connect with an iOS device or Windows we get an |> error saying that the identity cannot be verified.et | |Do you get an error, or a prompt to trust the root for that connection? | |If you get an error, you've done something wrong. Either not installed the root at the |client correctly, or not served the server and all intermediate certs from |FreeRADIUS. I guess it's also possible the server cert is not valid wireless i.e. lacks |the magic OIDs. See here: | |http://wiki.freeradius.org/config/Certificates | |If you get a prompt to trust the root, that's normal and can only be worked around |by further telling the client in advance that the specific root is trusted for the |specific connection. |- |List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Sam Fakhreddine wrote:
On windows machines we get a prompt saying that "Windows Cannot Verify the server's identity". On iOS when you view the certificate it says: "Not Verified"
Then that is the source of the problem.
This is confusing because we use a global CA Root (Digicert) that *is* already installed on all devices.
I don't know. Much of SSL is magic to me. Much of how devices implement SSL is magic. Much of how CAs operate is magic. All I know is that I follow the scripts in raddb/certs/, and it works for me. Doing anything else means someone, somewhere, breaks EAP. i.e. someone *else* is breaking EAP. FreeRADIUS isn't picky. It just does what it's told to do.
Is the prompt normal even when using a Global CA Root that is installed on devices?
No. It means there's something wrong. Alan DeKok.
If I understand you're doing EAP-TLS on a wirelss AP, right? I haven't followed this thread carefully so perhaps I misunderstand what's going on, but how would a wireless client verify a certificate *before* it actually has a connection to the network where it *could* verify the certificate? Is there some mechanism for the AP to go out and pass back and forth certificate verification steps with a public CA prior to the client actually being accepted into the network? [I'm not aware of any way this could happen, but I'm certainly no guru here.] --- In our case: We use self signed certs from our own CA. We add the ca.crt to each client and "manage" the initial connection to the wireless network. As part of that process for W7 clients, we set the following two options: [among other things] These are under the SSID/Network properties in Windows. -- Under trusted root certification authorities, make sure that ONLY the correct radius server is checked and all others are UNCHECKED. Finally: Do not prompt user to authorize new servers or trusted certification: CHECKED --- This should mean that the wireless client should only try to negotiate with the already trusted Radius server using the already accepted CA signed certificates. If a "rogue" AP comes up with a previously unknown CA signed certificate [even an otherwise "trusted one], the Wireless client will NOT prompt to accept this new unknown connection and will silently fail. [Which is the proper order of things, IMO] You only want the wireless client to negotiate with certificates signed by a SINGLE *PRESELECTED* CA - not just any CA you happen to trust [unless you have total control over all signing for that CA.] Because if that CA can/will sign certificates for others, then your wireless client will accept their certs too. [Again, that's at least how I understand it - which might be wrong.] So, IMO, using one of the trusted CA's is really not a requirement for good security. Self CA signed certificates do just fine in this closed environment. Perhaps that's not helpful [I don't think it strictly addresses your underlying question] but that's the way we do it ... and from all I can tell, it's as or more secure than using a publicly trusted CA to sign your certificates. [I also have CRL's working properly, though I haven't gotten around to adding it to the Wiki - if that's something you need, I'd be glad to slap up the text I have so you can review it. It's been tested and works properly in our environment.] HTH -Greg SF> On windows machines we get a prompt saying that "Windows Cannot Verify the server's identity". SF> On iOS when you view the certificate it says: "Not Verified" SF> This is confusing because we use a global CA Root (Digicert) that SF> *is* already installed on all devices. SF> Is the prompt normal even when using a Global CA Root that is installed on devices? SF> Sam Fakhreddine SF> p 780-395-5455 SF> |-----Original Message----- SF> |From: SF> freeradius-users-bounces+sam.fakhreddine=ledcor.com@lists.freeradius.org SF> |[mailto:freeradius-users- SF> |bounces+sam.fakhreddine=ledcor.com@lists.freeradius.org] On Behalf Of Phil SF> |Mayers SF> |Sent: Friday, April 04, 2014 1:38 AM SF> |To: freeradius-users@lists.freeradius.org SF> |Subject: Re: Trusted CA, Signed Certs and Verification SF> | SF> |On 03/04/14 23:59, Sam Fakhreddine wrote: |>> Hello, |>> |>> I have been trying to use a Trusted CA to sign our freeradius server. |>> |>> The certificates are installed, the key, cert, the root chain all in |>> their appropriate PEM files. |>> |>> The devices try to get the certificate that we specify; However, |>> whenever we try to connect with an iOS device or Windows we get an |>> error saying that the identity cannot be verified.et SF> | SF> |Do you get an error, or a prompt to trust the root for that connection? SF> | SF> |If you get an error, you've done something wrong. Either not installed the root at the SF> |client correctly, or not served the server and all intermediate certs from SF> |FreeRADIUS. I guess it's also possible the server cert is not valid wireless i.e. lacks SF> |the magic OIDs. See here: SF> | SF> |http://wiki.freeradius.org/config/Certificates SF> | SF> |If you get a prompt to trust the root, that's normal and can only be worked around SF> |by further telling the client in advance that the specific root is trusted for the SF> |specific connection. SF> |- SF> |List info/subscribe/unsubscribe? See SF> http://www.freeradius.org/list/users.html SF> - SF> List info/subscribe/unsubscribe? See SF> http://www.freeradius.org/list/users.html -- Gregory Sloop, Principal: Sloop Network & Computer Consulting Voice: 503.251.0452 x82 EMail: gregs@sloop.net http://www.sloop.net ---
Hi,
On windows machines we get a prompt saying that "Windows Cannot Verify the server's identity". On iOS when you view the certificate it says: "Not Verified"
This is confusing because we use a global CA Root (Digicert) that *is* already installed on all devices.
okay..so you have the root on the device. but how is the RADIUS cert signed? is it signed directly by the root ....usually there are intermediate certificate involved... if so, the client probably wont have the intermediates installed....so there is a big gap between the RADIUS cert and the root..... how to fix? you need to ensure that the RADIUS server hands out not only ITS cert, but also the intermediates... so just concatenate the intermediates and the RADIUS cert into one single file and send that out (configure that in the eap.conf file) instead. the client will receive the intermediates..which it can link against the known/trusted CA...and the RADIUS cert which is can link to the intermediates. all good. alan
how to fix? you need to ensure that the RADIUS server hands out not only ITS cert, but also the intermediates... so just concatenate the intermediates and the RADIUS cert into one single file a send that out (configure that in the eap.conf file) instead. the client will receive the intermediates..which it can link against the known/trusted CA...and the RADIUS cert which is can link to the intermediates.
Thank you for your reply Alan, I have concatenated all the files together in every possible configuration I can think of. Currently what I have is: private_key_file = ${certdir}/lcajra1.key certificate_file = ${certdir}/server.int.root.pem Inside of that Certificate file is: the server certificate, the intermediate certificate and the Trusted root, all that I got from Digicert. When I run radius -X everything works normally and the config file loads those files, and yet I still get "server identity cannot be verified" even though the entire chain is available there. I can verify with openssl verify that my certificate and my chain are OK [root@lcajra1 certs]# openssl verify -CAfile server.int.root.pem -verbose lcajra1_ledcor_net.crt lcajra1_ledcor_net.crt: OK [root@lcajra1 certs]# openssl verify -CAfile server.int.root.pem -verbose server.int.root.pem server.int.root.pem: OK
Sam Fakhreddine wrote:
When I run radius -X everything works normally and the config file loads those files, and yet I still get "server identity cannot be verified" even though the entire chain is available there.
I can verify with openssl verify that my certificate and my chain are OK
Then the device is broken. See if there's any debugging *it* has which can help. Also, try using eapol_test, as suggested on my web site: http://deployingradius.com If eapol_test works, then you KNOW the device is broken. The eapol_test program is just about perfect. It will either work, or will give useful error messages. Alan DeKok.
participants (5)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Gregory Sloop -
Phil Mayers -
Sam Fakhreddine