certificates for TLS Tunnel (peap mschap v2 authentication)

Reimer Karlsen-Masur, DFN-CERT karlsen-masur at dfn-cert.de
Wed Jul 18 09:57:44 CEST 2007


Hi,

julien blanc wrote:
> hi !
> 
> I'd like to set up an authentication system (for wireless clients) based
> on freeradius.
> 
> I'm using a DC windows 2003 with Active Directory to manage my users and
> groups... i know ... its baaaad :-) but i don't have the choice !
> 
> I have built a linux server (fedora core 5), with freeradius, a kerberos
> client, samba and winbind to reach my domain. No problems so far.
> 
> I'd like to authenticate my supplicants with PEAP-MSCHAP v2  and so i
> must set up a PKI for the TLS tunnel.

well, you need a server certificate for your FreeRADIUS server.

> My problem is here. I don't know how to use certificates in the
> freeradius directory:

This is some root-CA certificate and its secrete key:
> root.pem, root.p12, root.der

This is a client cert signed by above root-CA certificate and its secrete
key (you only need this when doing EAP-TLS):
> cert-clt.pem, cert-clt.p12, cert-clt.der

This is a server cert signed by above root-CA certificate and its secrete
key (you can use this cert as server certificate of FreeRADIUS):
> cert-srv.pem, cert-srv.p12, cert-srv.der

The slides on
<http://www.dfn.de/content/fileadmin/1Dienstleistungen/Roaming/DFNRoaming-Workshop-20070426-Handout.pdf>
page 20ff might help. Googles language tools might be some help :-/

> any advice ... suggestions or anything else ???

As for the passwords of the .p12 files or secret keys: you set them yourself
if you did not leave them empty....

On the Windows supplicants you can import the root.pem file. *Check* that
this file *does not* contain the private key. It's in ASCII format, so you
can look into the file and will see, if it's just the cert or if there is an
additional key in the file. If the latter is the case make a copy of that
file and remove the key part. Rename the file to .cer or .crt and import the
result into Windows supplicants by double clicking or MMCs certificate snap-in.

Client certificates are *not* needed for PEAP ms-chapv2.

HTH
-- 
Beste Gruesse / Kind Regards

Reimer Karlsen-Masur

DFN-PKI FAQ: https://www.pki.dfn.de/faqpki
--
Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615
DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555
Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5853 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20070718/25e37736/attachment.bin>


More information about the Freeradius-Users mailing list