disable FreeRadius checking of client certs

devel devel at oberonwireless.com
Tue Oct 10 19:22:53 CEST 2006

    Thanks guys for your post. First off, I have tried using the WinXP 
supplicant and I have no problems authenticating with the Linksys wifi 
cards. I just wish the Linksys utility was like Cisco where I can tell it do 
provide either/or username/cert. The Cisco cards have no problem with this 
as where using the Linksys with its utility does not provide me with what I 
want. No big deal.

    Using the Linksys client utitliy, a username, password, and certificate 
must be provided (the certificate is a combo box so I can't even leave it 
blank). I have always preferred to use the utility that came with wifi cards 
for configuration. They typically provide more information and are more user 
friendly than the Windows supplicant.

    This problem does pertain to the Linksys software more than FreeRadius. 
I was just hoping there was a way in the FreeRadius config files to help 
solve the problem


----- Original Message ----- 
From: "Artur Hecker" <artur at wave-storm.com>
To: "devel" <devel at oberonwireless.com>; "FreeRadius users mailing list" 
<freeradius-users at lists.freeradius.org>
Sent: Tuesday, October 10, 2006 12:42 PM
Subject: Re: disable FreeRadius checking of client certs

> Hi Travis
> Excuse me for top-posting, but just as Alan I'm a bit surprised by  your 
> post.
> If your authentication system is based on certificates, you need 
> certificates and you really should not say anything like  "certificates 
> bother me" since that is the only expression of your  trust, so without 
> that verification no authentication will ever be  reasonable or complete.
> If it is not, you do not have certificates. Allowing both for the  same 
> client (same machine) is discouraged. Personally I am not  familar with a 
> supplicant which tries one and then another for the  same username.
> Thus, per user if you are using EAP-PEAP-MSCHAPv2 (passwords), then  you 
> are not using EAP-TLS. And vice versa.
> The good news is: the authentication method has strictly nothing to  do 
> with the WiFi card; it is completely virtualized, in software. EAP  is 
> only a transporter protocol, it does not say how to authenticate,  it only 
> says how to transport data. Thus, if EAP is supported by the  card, then 
> *every* EAP method is supported. That's magic about 802.1X  and that's why 
> it's supported in the operating system rather than  being supported by a 
> network card.
> Now if you are saying that you use a special Linksys 802.1X client,  then 
> I would first suggest that you use the standard WinXP client.  Sorry, but 
> the Linksys client is fairly unknown.
> Practically, it's difficult to guess from what you provided, but I  think 
> that you do use the WinXP supplicant (i.e. 802.1X client - I do  not know 
> of any linksys supplicant) and that you probably want to use 
> EAP-PEAP-MSCHAPv2. That involves one server certificate (obviously  one 
> common trust anker - a self signed CA certificate) and some 
> username/passwords on clients. What probably happened is that in the  two 
> cases where the Linksys card is used, you did not correctly  configure 
> EAP-PEAP (called "Protected EAP" in WinXP or similar), but  you let it be 
> "Smartcard or Certificate". Thus, the card tries to do  TLS with some 
> available pub/priv key combination, but Freeradius  rejects it.
> Reconfigure the WinXP supplicant to do EAP-PEAP and it will ask you  for 
> passwords. Do not forget to deploy the server certificate on user 
> machines...
>>    Well, I have not issued certs to clients. Some of my clients  have the 
>> option to log in with a username "OR" a cert. However,  there are a few 
>> random Linksys cards (I guess I should have  mentioned this was for 
>> Wifi/WPA) that I "MUST" provide a username  and a cert.
> Strictly speaking, every EAP session will take a Username and the AAA 
> server will derive from it the authentication method to use. When  used in 
> EAP-TLS, Windows XP typically fills it out with the CN from  the 
> certificate (if available) but that is of course insufficient and  it 
> would be more correct to give an identifier and then to start a  TLS 
> authentication session for that id. (How exactly the username  compares to 
> the certified information is an open question, since the  username can be 
> altered by different means).
>> If there are no certs on the client machine, Linksys fills the cert  in 
>> with "Trust Any", so I assume it may be attempting with a blank?  cert or 
>> another cert on the machine, such as VeriSign or the  like.So this client 
>> is attempting to authenticate, I believe, with  other certs on its 
>> machine because the radius log looks like below:
> hmmm??? you can't just use any certificate for authentication. What  you 
> need is a pair: certificate/private key. Nobody except Verisign  has their 
> private key.
> The only option for your Linksys 802.1X client would be to  spontaneously 
> create a CA and to issue one user certificate for EAP  authentication 
> signed by the latter. That can be done by XP, but  there is no interest in 
> doing so.
> I would suggest you deploy passwords on these machines and configure  EAP 
> regards
> artur
>>    Tue Oct 10 11:16:16 2006 : Error:     TLS_accept:error in SSLv3  read 
>> client certificate A
>>    Tue Oct 10 11:16:16 2006 : Error: rlm_eap: SSL error error: 
>> 00000000:lib(0):func(0):reason(0)
>>    Tue Oct 10 11:16:16 2006 : Error: TLS Alert read:fatal:unknown CA
>>    Tue Oct 10 11:16:16 2006 : Error:     TLS_accept:failed in SSLv3  read 
>> client certificate A
>>    Tue Oct 10 11:16:16 2006 : Error: rlm_eap: SSL error error: 
>> 14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
>>    Tue Oct 10 11:16:16 2006 : Error: rlm_eap_tls: SSL_read failed  inside 
>> of TLS (-1), TLS session fails.
>>    Tue Oct 10 11:16:16 2006 : Error: rlm_eap: SSL error error: 
>> 140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure
>>    Tue Oct 10 11:16:16 2006 : Error: rlm_eap_tls: BIO_read failed  in a 
>> system call (-1), TLS session fails.
>>    I am not a FreeRadius expert so I may be misinterpreting the  logs. 
>> Thanks.
>> Travis
>> ----- Original Message ----- From: "Alan DeKok" 
>> <aland at deployingradius.com>
>> To: "devel" <devel at oberonwireless.com>; "FreeRadius users mailing  list" 
>> <freeradius-users at lists.freeradius.org>
>> Sent: Tuesday, October 10, 2006 10:27 AM
>> Subject: Re: disable FreeRadius checking of client certs
>>> "devel" <devel at oberonwireless.com> wrote:
>>>> Is it possible to disable FreeRadius's checking of client  certificates
>>>> using EAP-TLS-PEAP? Certs can be quick a bother and a huge  maintenance
>>>> over-head. Thanks.
>>>  Huh?  Client certs are used for PEAP only when you deploy client
>>> certs to the end-user machines.  Once they're deployed, they should
>>> really be checked.
>>>  Perhasp you can explain why you've deployed client certs, but now
>>> don't want to use them.
>>>  Alan DeKok.
>>> --
>>>  http://deployingradius.com       - The web site of the book
>>>  http://deployingradius.com/blog/ - The blog
>> - List info/subscribe/unsubscribe? See http://www.freeradius.org/ 
>> list/users.html

More information about the Freeradius-Users mailing list