Problems using EAP-TLS with freeradius version 2

Stefan Puch s.puch at web.de
Fri Feb 8 09:55:47 CET 2008


@Arran Cudbard-Bell
> / Is the prefix and suffix to the regular expression string. Any
> characters after the / suffix are used as modifiers. FreeRadius  only 
> supports the i modifier to make matches case insensitive.
> 
> \\\\ resolves to a literal back-slash. Regular expressions use the \ char as
> an escape char so it needs to be escaped with itself. FR also uses \ as an
> escape char so it has to be escaped with itself too. Hence the \\\\\ -> \\
> -> \
> 
> This regular expression was written to stop *stupid* *stupid* *stupid* 
> students from breaking authentication by entering something in the domain
> field. They kept entering sussex.ac.uk and user at sussex.ac.uk in the User Box
> in the windows supplicant, which resulted in. ... The regexp parses these as
> :
> 
> "%{1}" = user "%{2}" = domain
> 
> or
> 
> "%{1}" = user "%{2}" =
Thanks again for the detailed comment, it saved me a lot of time and I will try
to get more familiar with that kind of regular expressions. I will take your
first solution, the domain was only excluded to see that the test certificates
work which could bee generated with the Makefile provided in the FreeRadius Source.

>> Now where the test certificates are working (on Win XP AND Windows Mobile)
>> I will have to investigate again in my old certificates, because my one are
>> only working with Windows XP supplicant and wpa_supplicant using Linux. The
>>  Windows Mobile supplicant cannot use them correctly although the
>> certificates are the same one. Very strange! 
Yesterday evening I found the solution, why my certificates doesn't work with
the Windows Mobile supplicant although the Windows XP supplicant does:
I'm using TinyCA to create and mange my certificates. By default the
certificates are generates with a Keylength of 4096 using RSA encryption and
SHA-1 as Signature Algorithm. When I took a look into the Makefile which
generates the test certificates in the freeradius source a Keylength of only
2048 is used and MD5 as Signature Algorithm, so the devil must be in there
somewhere. And indeed, it doesn't matter, which Algorithm you are using for
signing (MD5 or SHA-1) but the Keylength seems to be very important for Windows
Mobile devices. All certificates I generated with a Keylength of 2048 are
working fine, all certificates wit a Keylength of 4096 doesn't work on the
Mobile device (although they work fine on a Windows XP system).

In short:
The build in supplicant of the Windows Mobile devices (I tested one with Windows
Mobile 2003SE and one with Windows Mobile 6 Professional) doesn't like
certificates with a Keylength of 4096!!!

Thanks again for all help I got here on the mailing list, the next days/weeks
I'm going to write some HOWTO for Mobile Devices in order to give something back
to you :-)

@Alan DeKok
Wont it be better, to change the signing process in te provided Makefile so that
a client certificate is signed by the ca certificate instead from the server
certificate? When using TinyCA every certificate is signed from the ca
certificate, too. I know both will work, if you specify the correct ca-cert in
eap.conf, but changing that point would make the process (in my opinion) more
consistent:
You have to install the ca certificate and the client certificate on the
client-computer, why should client cert by signed from the server cert? When I
looked around in Web previous to find some god HOWTO's about setting up
Freeradius using EAP-TLS I always found it that way, that the ca cert signs all
other certs and by the way, the HOWTO in the freeradius Wiki (EAPTLS.pdf)
explains it that way, too ;-)

Best regards

Stefan Puch



More information about the Freeradius-Users mailing list