Active Directory as PKI

Nikita Koshikov koshikov at gmail.com
Thu May 20 09:43:14 CEST 2010 

Hello freeradius users/admins,


I'm trying to implement EAP-TLS authorization with freeradius and Active Directory Certificates Service, but I'm stuck here...

With keys/certificates, generated with freeradius makefile(/etc/raddb/certs) everything is working fine. Here is the hierarchy of keys generated by freeradius:

Ca.crt(+ca.key)
	||
	server.crt(+servers.key) //issuer ca.crt
		||
		client1.crt
		client2.crt
		.....		//issuer server.crt

Apart from this scheme, Active Directory stores certificates in a way:

Ca.crt(key in AD and cannot used by freeradius)
	||
	sub_ca.crt(key in AD and cannot used by freeradius) //issuer ca.crt
		||
		server.crt(+key) //issuer sub_ca.crt (this is for private_key_file and certificate_file in freeradius config)
		||
		client1.crt
		client2.crt
		.....		//issuer sub_ca.crt
I'm concatenate ca.crt file with sub_ca.crt, openssl verify produces "OK".
# openssl verify -CAfile ca.crt clent.crt 
clent.crt: OK

But trying to authenticate from client I got error - unknown_ca. I have attached full debug log.
client(wpa_supplient) -> wifi-access(linksys with dd-wrt) -> server(freeradius-2.1.7)
wpa_supplient.conf:
network={
    ssid="work"
    proto=RSN
    key_mgmt=WPA-EAP
    pairwise=CCMP
    eap=TLS
    identity="radius"
    ca_cert="/home/work/ca.crt"
    client_cert="/home/work/wifi_client.crt"
    private_key="/home/work/wifi_client.key"
    private_key_passwd=""
    priority=1
}

freeradius relevant section:
  tls {
	rsa_key_exchange = no
	dh_key_exchange = yes
	rsa_key_length = 512
	dh_key_length = 512
	verify_depth = 0
	pem_file_type = yes
	private_key_file = "/etc/raddb/certs/win/server.key" //generated from sub_ca
	certificate_file = "/etc/raddb/certs/win/server.crt" //generated from sub_ca
	CA_file = "/etc/raddb/certs/win/ca.crt" //concatenated ca.crt + sub_ca.crt from windows store
	dh_file = "/etc/raddb/certs/dh" //generated by makefile
	random_file = "/etc/raddb/certs/random" //generated by makefile
	fragment_size = 1024
	include_length = yes
	check_crl = no
	cipher_list = "DEFAULT"
   }

Note: 
Server.crt and client.crt has all necessary extensions(OIDs) - TLS Web Server Authentication and TLS Web Client Authentication

My question - is it able to organize such scheme - freeradius + windows certificate center? Is client.crt MUST be issued by server.crt or they both MAY be issued by higher level ca, like Active Directory does?

If this has been discussed before - please, point me in right direction.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: radius_win_failed.log
Type: text/x-log
Size: 26591 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20100520/7b365d2e/attachment.bin>

More information about the Freeradius-Users mailing list