freeradius eap-ttls user/pass + cert

vw58t1 at yahoo.no vw58t1 at yahoo.no
Thu Feb 23 21:43:09 CET 2012 




----- Original Message -----
From: Matthew Newton <mcn4 at leicester.ac.uk>
To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Cc: 
Sent: Thursday, 23 February 2012, 11:49
Subject: Re: freeradius eap-ttls user/pass + cert

Hi,

On Thu, Feb 23, 2012 at 02:09:50AM -0800, grub3r wrote:
> 2. configured ttls/server cert password in eap.conf and everything worked
> fine. Then I read somewhere that username/password authentication alone is
> not secure as some information is passed in clear text?!

You need to decide what auth methods you want to support.

PAP on its own sends the password in clear-text.

Sounds like you are trying to set up EAP-TTLS/PAP, which means
that the password is now inside a TLS tunnel, so no longer
clear-text on the wire.

    I choose the TTLS because it's widely supported and might be used either with or without certificates.
    I would like to use username/password to securely authenticate users, that is encrypted username/password.
    You mean it's enough to only activate ttls as eap method in eap.conf and add a user to users file? isnt     username tranferred in clear text?



> I added "EAP-TLS-Require-Client-Cert = Yes" in "authorize-section" the
> default-site in sites-enabled.

The magic code is something more like

update control {
  EAP-TLS-Require-Client-Cert := Yes
}


        Yes, but it aslo works without ":" and can only be applied to default-file, applying to inner-tunnel makes no               difference at all.


> (I also tried to add it to users-file, which didn't work, what does work is
> DEFAULT EAP-TLS-Require-Client-Cert := Yes)

However, many supplicants can't do client certificates with TTLS
(or PEAP), so this is likely to lead you into trouble unless you
always know exactly what clients you're dealing with.

        wpa_supplicant under linux supports most of the eap methods, linux is my main OS.

If you want to use certificates for authentication then you're
probably best to just use EAP-TLS (not TTLS).


        I would not want to use TLS as it requires full PKI with both ca, server and client - certificates



> using Fedora 16 as client, I now had to use certificate, I added earlier
> created client.pem, but server fails to authenticate with message "unknown
> ca cert", I also tried to use ca.pem, but with negative result.

The CA for client cert validation goes in CA_file - did you set

that?

        I only edited ca, server and client cnf-files as described in README-file under certs-dir.
        when adding ca.pem, debug says that client did not provide cert, if I use client.pem, debug says unknown ca.

Matthew


-- 
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>

Systems Architect (UNIX and Networks), Network Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list