FreeRadius Ceritificate Migration

John Dennis jdennis at redhat.com
Tue May 14 21:25:10 CEST 2013 

On 05/14/2013 12:01 PM, Mitch Yackobeck wrote:
> Good morning John,
>
> I appologize for making myself look like a moron.   The original message
> had actually been sent to someone who was helping me to potentially work
> thru some issues that we were seeing and trying to work out.  I
> attempted to modify the message in haste and get some input from the
> group and it appears that I severely bungled that one up.  I've learned
> my lesson in humility as I actually went back and read what I had done
> and like yourself could not make true heads or tails of that first
> paragraph.
>
> The ultimate goal we are trying to achieve here is this; we are
> potentially going to be changing our certificate structure in our
> classroom networks. We are looking to have a way to have clients that
> have not been converted to the new certificate structure as well as
> those that have been converted able to authenticate simultaneously using
> the same wireless SSID and FreeRadius server.   We use Novell eDir for
> the backend services on the classroom side with FreeRadius
> authenticating our wireless users at the root of the tree.  For
> authentication purposes we have moved from passing the username and
> password via 802.1X on the Novell Client to an EAP-TLS user certificate
> installed in the computer certificate store so that the system is
> already authenticated to the network prior to a user attempting to login
> and remains connected even after login.
>
> What I was trying to convey is that I've spent some time over the last
> couple of weeks upgrading my test environment from an older version of
> FreeRadius to the latest available.   On that test server, I have both
> its test certificates and our production server certificates loaded up
> using a single file.  Using the certs specific to the test server,
> everything works as expected, when I attempt to use the certs from the
> production server, thats when things go a little pear shaped.  Initially
> it appears that the server is able to read the client certificate enough
> to recognize that the information is available, but when it requests
> further details, it fails to find the CA applicaple to the client cert
> and bombs out a reject.  See below for a capture of the client
> authentication attempt.
>
> I'm wondering if this type of setup is actually possible or if there is
> some switch that someone knows of somewhere in the config that perhaps I
> have missed.
>
> Any help would be appreciated.

Thank you Mitch, this is much more lucid.

I'll try to help as best I can but you're still making it difficult. We 
ask for the output of radiusd -X in plain text format for a reason (not 
edited snippets). Why? Well for starters it contains all sorts of 
essential information that you've deleted. At the very most basic level 
what FreeRADIUS version are you using? But it also tells us other 
things, such as how the server is configured, what files it's reading, etc.

But in any event what you want to accomplish should work. Let me give 
you some basic information and things to look at.

First of all I notice you're reading your configuration from 
/usr/local/etc/raddb, some people get confused because /etc/raddb is a 
common location and they edit the wrong files. Make sure you're editing 
the files the server is loading.

Also, make sure the location of the cert directory in the config is what 
you expect and is where you've installed your CA root certs (had the 
full debug been posting we could have verified this).

Cert verification may involve a chain of CA certs, each of which must 
validate, until a trusted root is reached. Every CA cert in the chain 
must be available, either because the client passes it or because you've 
installed it. Therefore it would be good to verify whether the client 
cert issuer is the only cert necessary or not and if not have you 
installed the intermediaries. But since you said you were able to 
manually verify the client cert via the openssl command line tool that's 
probably not the issue. But did you verify you've configured FreeRADIUS 
to use the same CA as the command line tool?

OpenSSL has two basic ways it can access multiple CA certs, you either 
concatenate them in a "bundle" file and set the CA_file to that, or you 
set the CA_path and OpenSSL will look for certs in the directory. Sounds 
like you decided to populate the CA_path with individual certs. Do they 
have file extensions? Did you set the CA_path variable correctly? (the 
debug log would have helped answer this).

It's a shame the cbtls_verify function in rlm_eap_tls.c does not print 
the certificate (via X509_print_ex()) when verification fails, being 
able to see the contents of the cert can be immensely helpful.

Looking at your error messages my best guess is that OpenSSL cannot 
locate one or more of the issuer certs, the most likely cause of this is 
misconfiguration of either the CA_file or CA_path variable, or the 
contents found at those locations. See the man page for 
SSL_CTX_load_verify_locations for details on what OpenSSL expects and 
confirm your FreeRADIUS config matches it (also verify in the debug 
output the server is loading what you expect it to load and not 
something else).


-- 
John Dennis <jdennis at redhat.com>

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeradius-Users mailing list