Active Directory as PKI

[Nikita Koshikov]

On Thu, 20 May 2010 10:43:14 +0300
Nikita Koshikov wrote:

> Hello freeradius users/admins,
> 
> 
> I'm trying to implement EAP-TLS authorization with freeradius and Active Directory Certificates Service, but I'm stuck here...
> 
> With keys/certificates, generated with freeradius makefile(/etc/raddb/certs) everything is working fine. Here is the hierarchy of keys generated by freeradius:
> 
> Ca.crt(+ca.key)
> 	||
> 	server.crt(+servers.key) //issuer ca.crt
> 		||
> 		client1.crt
> 		client2.crt
> 		.....		//issuer server.crt
> 
> Apart from this scheme, Active Directory stores certificates in a way:
> 
> Ca.crt(key in AD and cannot used by freeradius)
> 	||
> 	sub_ca.crt(key in AD and cannot used by freeradius) //issuer ca.crt
> 		||
> 		server.crt(+key) //issuer sub_ca.crt (this is for private_key_file and certificate_file in freeradius config)
> 		||
> 		client1.crt
> 		client2.crt
> 		.....		//issuer sub_ca.crt
> I'm concatenate ca.crt file with sub_ca.crt, openssl verify produces "OK".
> # openssl verify -CAfile ca.crt clent.crt 
> clent.crt: OK
> 
> But trying to authenticate from client I got error - unknown_ca. I have attached full debug log.
> client(wpa_supplient) -> wifi-access(linksys with dd-wrt) -> server(freeradius-2.1.7)
> wpa_supplient.conf:
> network={
>     ssid="work"
>     proto=RSN
>     key_mgmt=WPA-EAP
>     pairwise=CCMP
>     eap=TLS
>     identity="radius"
>     ca_cert="/home/work/ca.crt"
>     client_cert="/home/work/wifi_client.crt"
>     private_key="/home/work/wifi_client.key"
>     private_key_passwd=""
>     priority=1
> }
> 
> freeradius relevant section:
>   tls {
> 	rsa_key_exchange = no
> 	dh_key_exchange = yes
> 	rsa_key_length = 512
> 	dh_key_length = 512
> 	verify_depth = 0
> 	pem_file_type = yes
> 	private_key_file = "/etc/raddb/certs/win/server.key" //generated from sub_ca
> 	certificate_file = "/etc/raddb/certs/win/server.crt" //generated from sub_ca
> 	CA_file = "/etc/raddb/certs/win/ca.crt" //concatenated ca.crt + sub_ca.crt from windows store
> 	dh_file = "/etc/raddb/certs/dh" //generated by makefile
> 	random_file = "/etc/raddb/certs/random" //generated by makefile
> 	fragment_size = 1024
> 	include_length = yes
> 	check_crl = no
> 	cipher_list = "DEFAULT"
>    }
> 
> Note: 
> Server.crt and client.crt has all necessary extensions(OIDs) - TLS Web Server Authentication and TLS Web Client Authentication
> 
> My question - is it able to organize such scheme - freeradius + windows certificate center? Is client.crt MUST be issued by server.crt or they both MAY be issued by higher level ca, like Active Directory does?
> 
> If this has been discussed before - please, point me in right direction.

Anyone ?