howto EAP-TLS on freeradius 2.0.2-3 ??
Joel MBA OYONE
mba_oyone at yahoo.fr
Sun May 18 18:30:42 CEST 2008
Ivan Kalik wrote:
> Please don't mess with configuration. Default one works. Your problem
> was with the user certificate.
http://www.procurve.com/NR/rdonlyres/06538B80-6DB0-4AC6-893E-8E8E12A180C6/0/ConfiguringFreeRADIUSwithIDMbyExample_Dec_07_WW_Eng_Ltr.pdf
>
On page 52 you have a picture of the Details tab list with Enhanced Key
>
Usage filed containing client OID. Does your client certificate have
>
that field and that value?
Hi Ivan!
you can view screenshots of the certificate here:
- CA Certificate that i imported on XP with DER format:
http://img357.imageshack.us/img357/2264/cacertificate1wj4.jpg
- Client Certificate with p12 format:
http://img164.imageshack.us/img164/2894/certifclient1kf1.jpg
http://img164.imageshack.us/img164/7527/certifclient2rv3.jpg
sorry for the delay, i was in a trip!
I am still blocked on "Identity validation when i try to use eap-tls"
attached
files contain snapshot of my CA certificate (cacert.der) and my client
certificate (joel_certs.p12) olus the command lines applied to obtain
them.
Please let me know if they are corrects, like i suppose it to be!
here is my eap-tls configuration:
####################################################################
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
pem_file_type = yes
private_key_file = "/etc/raddb/certs/CA/other_keys/servradiuskey.pem"
certificate_file = "/etc/raddb/certs/CA/certs/serverradiuscert.pem"
CA_file = "/etc/raddb/certs/CA/cacert.pem"
private_key_password = "wireless"
dh_file = "/etc/raddb/certs/CA/dh"
random_file = "/etc/raddb/certs/CA/random"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
}
###############################################################
My scripts:
######################################################################
# Creating a new self-signed CA certificate
######################################################################
cakey.key cacert.pem:
openssl req -new -x509 -keyout cakey.pem -out cacert.pem -config ./ca.cnf
# DER Forma of rhe CA certificate, that i imported on windows XP
ca.der: ca.pem (DER format)
openssl x509 -inform PEM -outform DER -in cac.pem -out ca.der
######################################################################
# Creating a certificate request for Server
######################################################################
openssl
req -newkey rsa:1024 -keyout
/etc/raddb/certs/CA/other_keys/servradiuskey.pem -out
/etc/raddb/certs/CA/req/servradius_cert.req
######################################################################
# Signing the Server certificate with the correctextension
######################################################################
openssl
ca -out /etc/raddb/certs/CA/certs/serverradiuscert.pem -extensions
xpserver_ext -extfile /etc/ssl/xpextensions -infiles
/etc/raddb/certs/CA/req/servradius_cert.req
######################################################################
# Creating a certificate request for Client
######################################################################
openssl req -new -nodes -keyout /etc/raddb/certs/CA/other_keys/joelkey.pem -out /etc/raddb/certs/CA/req/joel_cert.req
######################################################################
# Signing the Client certificate with the correctextension
######################################################################
openssl
ca -out /etc/raddb/certs/CA/certs/joel_cert.pem -extensions
xpclient_ext -extfile /etc/ssl/xpextensions -infiles
/etc/raddb/certs/CA/req/joel_cert.req
######################################################################
# Converting the Client certificate in p12 file
######################################################################
openssl
pkcs12 -export -in CA/certs/joel_cert.pem -inkey
CA/other_keys/joelkey.pem -out
/etc/raddb/certs/CA/certs/joel_certs.p12 -clcerts
######################################################################
** lemme know if i did something wrong creating my certificate please**
That is all i did.
Thank you
===================================================================================
======================================================================================================================================================================
Please don't mess with configuration. Default one works. Your problem
was with the user certificate.
http://www.procurve.com/NR/rdonlyres/06538B80-6DB0-4AC6-893E-8E8E12A180C6/0/ConfiguringFreeRADIUSwithIDMbyExample_Dec_07_WW_Eng_Ltr.pdf
On page 52 you have a picture of the Details tab list with Enhanced Key
Usage filed containing client OID. Does your client certificate have
that field and that value?
Ivan Kalik
Kalik Informatika ISP
Dana 7/5/2008, "Joel MBA OYONE" <mba_oyone at yahoo.fr> piše:
>Ok,
>
>i
think i really missed something! that config should take less than 15
minutes but i can't solve my problem for more than a week.
>
>Alan
or Ivan, could you give me a half our to help me to fix my RADIUS
EAP-TLS config please. i would like to give you a full access to my
network and my terminal too, so the diagnostic should be very very easy
for you!
>is it possible?
>
>
>MBA OYONE JoĂŤl
>Lot. El Firdaous
>Bât GH20, Porte A 204, Appt 8
>20000 Oulfa
>Casablanca - Maroc
>
>TĂŠl. : +212 69 25 85 70
>
>
>----- Message d'origine ----
>De : Alan DeKok <aland at deployingradius.com>
>� : FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
>EnvoyĂŠ le : Lundi, 5 Mai 2008, 17h18mn 10s
>Objet : Re: Re : howto EAP-TLS on freeradius 2.0.2-3 ??
>
>Joel MBA OYONE wrote:
>...
>> The VLAN attributes defined in RFC3580 are as follows:
>> � Tunnel-Type=VLAN (13)
>> � Tunnel-Medium-Type=802
>> � Tunnel-Private-Group-ID=VLANID
>>
>> NOTE: The FreeRADIUS dictionary maps the 802 string value to the integer 6, which
>> is why client entries use 6 for the Tunnel-Medium-Type value.
>
> No. For Tunnel-Medium-Type, "802" is a *name*, not a *number*. See
>Section 3.2 of RFC 2868:
>
>...
> Value
> The Value field is three octets and contains one of the values
> listed under "Address Family Numbers" in [14]. For the sake of
> convenience, a relevant excerpt of this list is reproduced below.
>
> 1 IPv4 (IP version 4)
> 2 IPv6 (IP version 6)
> 3 NSAP
> 4 HDLC (8-bit multidrop)
> 5 BBN 1822
> 6 802 (includes all 802 media plus Ethernet "canonical format")
>...
>
> FreeRADIUS gets it *right*. Many NAS vendors get it *wrong*.
>
>> To create a user and assign the user to a particular VLAN by using FreeRADIUS, open the
>> etc/raddb/users file, which contains the user account information, and add for the new user.
>> The following example shows the entry for a user in the users file. The username is
>> �johndoe,� the password is �test1234.� The user is assigned to VLAN 77.
>>
>> johndoe Auth-Type: = EAP, User-Password == �test1234"
>> Tunnel-Type = 13,
>> Tunnel-Medium-Type = 6,
>
> Or: Tunnel-Medium-Type = IEEE-802
>....
>>
>>
in both cases, it stays on "IDENTITY VALIDATION" in xp wireless
management and sometime i receive the right ip adresss in the right IP
Pool. ut lost it immediately, maybe cause of the repeating cycle of
athentication sequence.
>> AND, the client certificate, signed by the Server (not the CA root) is still with the same message.
>>
>>
>> hope it would be helpfull !!
>
> Arg. Microsoft keeps putting magic nonsense into their OS's to make
>it difficult to use non-Microsoft RADIUS servers.
>
> And yes, this *is* a problem even inside of Microsoft! So if you're
>finding it a PITA to get it working, rest assured that Microsoft does, too.
>
> Alan DeKok.
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>__________________________________________________
>Do You Yahoo!?
>En finir avec le spam? Yahoo! Mail vous offre la meilleure protection possible contre les messages non sollicitĂŠs
>http://mail.yahoo.fr Yahoo! Mail
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
__________________________________________________
Do You Yahoo!?
En finir avec le spam? Yahoo! Mail vous offre la meilleure protection possible contre les messages non sollicités
http://mail.yahoo.fr Yahoo! Mail
-----La pièce jointe correspondante suit-----
######################################################################
#
# Create a new self-signed CA certificate
#
######################################################################
cakey.key cacert.pem:
openssl req -new -x509 -keyout cakey.pem -out cacert.pem -config ./ca.cnf
ca.der: ca.pem
openssl x509 -inform PEM -outform DER -in cac.pem -out ca.der
######################################################################
# requete de cerificat server
openssl
req -newkey rsa:1024 -keyout
/etc/raddb/certs/CA/other_keys/servradiuskey.pem -out
/etc/raddb/certs/CA/req/servradius_cert.req
# Signature du certificat server
openssl
ca -out /etc/raddb/certs/CA/certs/serverradiuscert.pem -extensions
xpserver_ext -extfile /etc/ssl/xpextensions -infiles
/etc/raddb/certs/CA/req/servradius_cert.req
===================================================================================
======================================================================================================================================================================
# requete de cerificat client
openssl req -new -nodes -keyout /etc/raddb/certs/CA/other_keys/joelkey.pem -out /etc/raddb/certs/CA/req/joel_cert.req
# Signature du certificat client
openssl
ca -out /etc/raddb/certs/CA/certs/joel_cert.pem -extensions
xpclient_ext -extfile /etc/ssl/xpextensions -infiles
/etc/raddb/certs/CA/req/joel_cert.req
# conversion du certificat client au format pkcs12
openssl
pkcs12 -export -in CA/certs/joel_cert.pem -inkey
CA/other_keys/joelkey.pem -out
/etc/raddb/certs/CA/certs/joel_certs.p12 -clcerts
__________________________________________________
Do You Yahoo!?
En finir avec le spam? Yahoo! Mail vous offre la meilleure protection possible contre les messages non sollicités
http://mail.yahoo.fr Yahoo! Mail
More information about the Freeradius-Users
mailing list