Does FreeRADIUS support PEAPv0/EAP-TLS?

Jason Wittlin-Cohen jwittlincohen at gmail.com
Tue Dec 9 01:00:06 CET 2008 

I'm attempting to setup PEAPv0/EAP-TLS which uses EAP-TLS as the inner
authentication method within PEAP. Unlike EAP-TLS, PEAPv0/EAP-TLS sends the
client certificate within the secure SSL tunnel, thus protecting the user's
identity. While RFC-5216 suggests that EAP-TLS can optionally support a
privacy mode in which the client certificate is pushed through the SSL
tunnel, I've not found any way to enable this option. I have no particual
interest in using PEAPv0/EAP-TLS other than the fact that I know it does
what I want to accomplish. I would be perfectly happy to use EAP-TLS in
Privacy mode, or PEAPv0/MSCHAPv2 with a required client certificate.
However, both these modes pass the client certificate in the clear.

Here's what my testing has shown:

EAP-TLS: Works with both Windows XP Supplicant and Juniper Odyssey Access
Client 4.8
PEAPv0/EAP-MSCHAPv2- Works with both Windows XP Supplicant and Juniper
Odyssey Access Client 4.8
PEAPv0/EAP-MSCHAPv2 + Requierd Client Certificate- Works with Juniper
Odyssey Access Client 4.8 (XP Supplicant doesn't support MSCHAPv2 +
Certificate)
PEAPv0/EAP-TLS- Fails on both supplicants

I don't think my TLS settings are improper, as both EAP-TLS and
PEAPv0/MS-CHAPv2 + Client Certifciate work fine. The debug logs shows the
client certificate verified properly.

I've tried pretty much every combination of PEAP options, and after each
permutation I forced a reauthentication so that I could analyze the packets
in Wireshark. No combination of settings forced the client certificate
through the SSL tunnel. I thought "        use_tunneled_reply = yes" might
help, but it did not.

I have pasted the relevant configuration settings below as well as a full
log of the failure when I attempt to use PEAPv0/EAP-TLS.
The relevant settings: Other than "default_eap_type = "tls" my settings are
identical for PEAPv0/EAP-MSCHAPv2 which works fine.

The failure log seems to suggest that "tls" is not a supported
authentication mode within PEAP.

[files] users: Matched entry DEFAULT at line 200
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
*rlm_eap: No EAP session matching the State variable.*
*[eap] Either EAP-request timed out OR EAP-response to an unknown
EAP-request*
[eap] Failed in handler
++[eap] returns invalid
Failed to authenticate the user.
Login incorrect: [Jason Wittlin-Cohen] (from client Wireless port 0 via TLS
tunnel)
} # server inner-tunnel
[peap] Got tunneled reply code 3
[peap] Got tunneled reply RADIUS code 3
[peap] Tunneled authentication was rejected.
[peap] FAILURE

*PEAPv0/EAP-TLS Failure Log: *http://pastebin.com/m900e269
*PEAPv0/MSCHAPv2 Success Log:* http://pastebin.com/m16114697
*PEAPv.0/MSCHAPv2+Cert Success Log: *http://pastebin.com/m429d9c12
*EAP-TLS Success Log:* http://pastebin.com/m2b1c62f4

Relevant Settings:

 eap {

        default_eap_type = "peap"
        timer_expire = 60
        ignore_unknown_eap_types = no
        cisco_accounting_username_bug = no
        max_sessions = 2048
  }
 Module: Linked to sub-module rlm_eap_tls
 Module: Instantiating eap-tls
   tls {
        rsa_key_exchange = no
        dh_key_exchange = yes
        rsa_key_length = 512
        dh_key_length = 3072
        verify_depth = 0
        pem_file_type = yes
        private_key_file = "/etc/freeradius/certs/server_key.pem"
        certificate_file = "/etc/freeradius/certs/server_cert.pem"
        CA_file = "/etc/freeradius/certs/cacert.pem"
        dh_file = "/etc/freeradius/certs/dh3072.pem"
        random_file = "/etc/freeradius/certs/random"
        fragment_size = 1024
        include_length = yes
        check_crl = no
        cipher_list = "HIGH"
        make_cert_command = "/etc/freeradius/certs/bootstrap"
    cache {
        enable = no

  peap {
        default_eap_type = "tls"
        copy_request_to_tunnel = no
        use_tunneled_reply = yes
        proxy_tunneled_request_as_eap = no
        virtual_server = "inner-tunnel"
   }

 Module: Linked to sub-module rlm_eap_mschapv2
 Module: Instantiating eap-mschapv2
   mschapv2 {
        with_ntdomain_hack = no

modules mschap:

 Module: Instantiating mschap
  mschap {
        use_mppe = yes
        require_encryption = yes
        require_strong = yes
        with_ntdomain_hack = no
  }

Users:

"DEFAULT" Cleartext-Password := "**************************************",
EAP-TLS-Require-Client-Cert := Yes

Note: (*'s represent a 32 character randomly generated password)

Thanks in advance,

Jason

-- 
Jason Wittlin-Cohen
Yale Law School, Class of 2010
jason.wittlin-cohen at yale.edu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20081208/54e3f02a/attachment.html>

More information about the Freeradius-Users mailing list