TLS configuration

Matthew Newton mcn4 at leicester.ac.uk
Thu Feb 9 16:26:23 CET 2012 

Hi,

On Wed, Feb 08, 2012 at 09:18:55AM +0100, Alan DeKok wrote:
> Matthew Newton wrote:
> > The fact is that you have to configure EAP-TLS so that you can use
> > the PEAP/TTLS, even if you don't want to actually use the EAP-TLS
> > type itself.
> 
>   Yes.  The saving grace there is you don't normally issue client certs.
>  So EAP-TLS won't work when people try to use it.

In our case, when we started out, we used the local CA to create a
certificate for FreeRADIUS, but then also put the local CA root as
CA_file (that's what you do, right? Put in the certificate and the
root...)

...then realised that any client could authenticate just by
switching to EAP-TLS and presenting another certificate from the
same CA, which was the CA for the domain, with auto-enrolment
about to be used :-)

I guess it comes from configuring Apache for so long, where you
tend to put the CA root and all intermediates on the server, even
though technically you probably don't need the root cert itself.

>   In git "master" branch, the code has changed.  All of the SSL cert
> stuff is now in src/main/tls.c.  So it *should* be possible to more
> cleanly separate the configurations.

OK.

> 
> > Just trying to explore if there is any way the config can be
> > updated/simplified to remove that initial confusion!
> 
>   My take is the following:

Thanks, that's useful. I'll try and have a look and see if I can
come up with anything.

>   The end result will be the TLS configuration will be anywhere you
> want.  The EAP tls, ttls, and peap code will just have an entry "tls ="
> to point to the TLS configuration.

If the tls config HAS to be called common_tls, inside the eap
module, then there's no need for the "tls=" entry any more - which
could be another way of doing it, albeit slightly less flexible.

>   The HARD thing about this is now the TLS configuration will be loaded
> multiple times.  Once each for EAP-TLS, TTLS, and PEAP.  Finding a way
> to avoid that would be good.

Agreed.

Thanks,

Matthew


-- 
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>

Systems Architect (UNIX and Networks), Network Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>

More information about the Freeradius-Devel mailing list