cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls)

Sergio sergioyebenes at alumnos.upm.es
Fri Jul 25 18:24:22 CEST 2008


Reveal MAP escribió:
> > But I think this problem do not affect peap because peap do not use
> > client certs, you only need to install ca.der into client machine and
> > put the passwords
>
> i refer to that:
>
> > so my question is, if the certificate (with server extension) is 
> missing on the client, could it interfer in EAP-PEAP authentication 
> success?
>
> yes.
>
> you need a RADIUS cert with the extensions...and if doing proper
> PEAP, you need the CA installed on the client too  - with 'validate
> server certificate' checked and cross-linked (ie you choose
> the correct CA in the list!)
>
> alan
>
> really?? it seems to affect PEAP too when freeradius authenticates 
> against Active Directory.
>
> if i understood well,PEAP authentication need client side a login + 
> password and server side a certificate in order to the authentication 
> process to success!
> so, which certificate have i to install on client side?
> - i did ever try ca.der with no success! 'after an access-challenge, 
> the request simply stops.
> - i am trying sever.crt too, with no more success. i install it in 
> intermediate authority containeer,but it won't be available in the 
> list of the wireless manager of xp.
> if you have a suggestion, i am open!
>
>
>
> ----- Message d'origine ----
> De : Sergio <sergioyebenes at alumnos.upm.es>
> À : FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
> Envoyé le : Vendredi, 25 Juillet 2008, 13h20mn 54s
> Objet : Re: Re : cert bootstrap bug? (was Re: definitively, I have a 
> problem with eap-tls)
>
> Reveal MAP escribió:
> > HOW TO FIX THE PROBLEM OF THE ISSUER of clients certificates in
> > default configuration?
> >
> > - this bug is suspected to make i can't do EAP-PEAP and affect the CRL
> > management too. it's a real problem
> >
> >
> >
> > ----- Message d'origine ----
> > De : Alan DeKok <aland at deployingradius.com 
> <mailto:aland at deployingradius.com>>
> > À : FreeRadius users mailing list 
> <freeradius-users at lists.freeradius.org 
> <mailto:freeradius-users at lists.freeradius.org>>
> > Envoyé le : Jeudi, 24 Juillet 2008, 19h54mn 32s
> > Objet : Re: cert bootstrap bug? (was Re: definitively, I have a
> > problem with eap-tls)
> >
> > Sergio wrote:
> > > But the debug I posted shows that radius doesn't recognize the 
> issuer of
> > > client cert using default certs. If default certs works and I 
> don't need
> > > to install server.pem and ca.pem into ssl/certs dir, what I'm 
> forgetting
> > > alan?
> >
> >  You need to follow the documentation in eap.conf.
> >
> >            #  If CA_file (below) is not used, then the
> >            #  certificate_file below MUST include not
> >            #  only the server certificate, but ALSO all
> >            #  of the CA certificates used to sign the
> >            #  server certificate.
> >            certificate_file = ${certdir}/server.pem
> >
> >  Have you done that?
> >
> >  Alan DeKok.
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> >
> > ------------------------------------------------------------------------
> > Envoyé avec Yahoo! Mail
> > 
> <http://us.rd.yahoo.com/mailuk/taglines/isp/control/*http://us.rd.yahoo.com/evt=52423/*http://fr.docs.yahoo.com/mail/overview/index.html>.
> > Une boite mail plus intelligente.
> >
> But I think this problem do not affect peap because peap do not use
> client certs, you only need to install ca.der into client machine and
> put the passwords
>
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
>
> ------------------------------------------------------------------------
> Envoyé avec Yahoo! Mail 
> <http://us.rd.yahoo.com/mailuk/taglines/isp/control/*http://us.rd.yahoo.com/evt=52423/*http://fr.docs.yahoo.com/mail/overview/index.html>.
> Une boite mail plus intelligente.
Then, you're trying to tell me the following:

installing ca.der and putting user && pass into client machine, the 
authentication doesn't work?
you only need ca.der but, if you have an active directory like LDAP, 
check if your comunication with AD server also have tls authentication.
Into ldap module you can configurate another tls block, which it's 
different than tls block into eap module.
I don't know if it is your problem, but I suppose that  comunication 
between ldap server and radius can have different certificates, from 
different ca's than  eap comunication. If it is your problem, I would 
check it. also would be good you post de debug of radius to see which 
certificate can't validate.

Hasta luego :)



More information about the Freeradius-Users mailing list