EAP-TLS Suggestions on FreeRadius

Max Freeman maxx1233 at gmail.com
Mon Nov 3 01:23:37 CET 2014


Good evening,

Thank you for your suggestions/ reply. 
My comments/ questions are underneath your thoughts using ">>". 


> I have been working with FreeRadius and reading these threads for
> sometime now trying to figure out how to properly configure and
> implement EAP-TLS using ECDHE-ECDSA ciphers.  

 Set the right parameters for OpenSSL.

>> Do you mean within the OpenSSL source code? I've been trying to track down the location of where OpenSSL picks a TLS 1.0 handshake over TLS 1.2. 

> I am writing because perhaps there is a FreeRadius setting/ concept that
> I have been foolishly neglecting.

 All of the required OpenSSL setting are in the FreeRADIUS config
files.  And documented there.

>> I'll continue to read. Is it acceptable under the ECC Curve section in EAP.Conf to use two elliptic curves?  That is what wire shark is sending over. 

> The client (wpa_Supplicant) sends FreeRadius a Client Hello over TLS 1.0
> (could perhaps cause problems with ECC?) and then FreeRadius Rejects it
> because of and "SSL3_CLIENT_HELLO: no shared cipher."  However, I have
> confirmed that the latest version of openssl supports my cipher.  

 Use wireshark to look at the packets.  It should be able to decode
both sides of the EAP-TLS conversation, and show you which ciphers are
being used.

>> wire shark has been showing the correct cipher suites are available on nth sides, which is odd.  It seems that FR server rejects the Client Hello right away, even though the client hello seemingly has all the necessary information. Could it have something to do with Users/ clients.conf?  I can't seem to figure out any combination that does the trick. 

> Does the EAP.conf/ FR have anything to do with Elliptic Curve's and
> their shared cipher besides putting in "ALL" for the cipher and
> "secptxxx" for the curve?

 That should be it.  Depending on OpenSSL magic, maybe "ALL" doesn't
mean "ALL".  Try listing the ciphers explicitly.

>> will do.

> I have also confirmed through OpenSSL's   s_client/ s_server   program
> that my certificates are set up properly and ONLY succeed with TLS1_2
> and not TLS1.0 or TLS1.1.

 That tests the local OpenSSL.  It doesn't test the remote end.

 It's possible that the remote end doesn't support the ciphers.

>> Both machines are identical CentOS images, except for the configuration for FR and Wpa_supplicant on the respective machines. Also, s_client/ s_server works on both. 

Thank you very much for your thoughts. Much appreciated. 

Max 

 
Sent via mobile


> On Nov 2, 2014, at 6:00 AM, freeradius-users-request at lists.freeradius.org wrote:
> 
> Send Freeradius-Users mailing list submissions to
>    freeradius-users at lists.freeradius.org
> 
> To subscribe or unsubscribe via the World Wide Web, visit
>    http://lists.freeradius.org/mailman/listinfo/freeradius-users
> or, via email, send a message with subject or body 'help' to
>    freeradius-users-request at lists.freeradius.org
> 
> You can reach the person managing the list at
>    freeradius-users-owner at lists.freeradius.org
> 
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Freeradius-Users digest..."
> 
> 
> Today's Topics:
> 
>   1. Re: issue with reaped processes timing out in rad_waitpid
>      (Alan DeKok)
>   2. Re: EAP-TLS Suggestions on FreeRadius (Alan DeKok)
>   3. Re: 3.0.x rlm_sql mime encoding UTF8 characters (Isaac Boukris)
>   4. Re: Dailycounter not working (Matej ?erovnik)
>   5. Re: radius logs with garbage username (Jan Rafaj)
> 
> 
> ----------------------------------------------------------------------
> 
> Message: 1
> Date: Sat, 01 Nov 2014 09:05:08 -0400
> From: Alan DeKok <aland at deployingradius.com>
> To: FreeRadius users mailing list
>    <freeradius-users at lists.freeradius.org>
> Subject: Re: issue with reaped processes timing out in rad_waitpid
> Message-ID: <5454DA84.50302 at deployingradius.com>
> Content-Type: text/plain; charset=ISO-8859-1
> 
> Alex Sharaz wrote:
>> So just to check, if I download the latest version of 2.x.x from git.freeradius.org as outined at freeradius.org/git it'll have your patch in it?
> 
> https://github.com/FreeRADIUS/freeradius-server/tree/v3.0.x
> 
>  Look at the right side of the screen.  There's a button "download zip".
> 
>  Alan DeKok.
> 
> 
> ------------------------------
> 
> Message: 2
> Date: Sat, 01 Nov 2014 09:07:49 -0400
> From: Alan DeKok <aland at deployingradius.com>
> To: FreeRadius users mailing list
>    <freeradius-users at lists.freeradius.org>
> Subject: Re: EAP-TLS Suggestions on FreeRadius
> Message-ID: <5454DB25.7020901 at deployingradius.com>
> Content-Type: text/plain; charset=UTF-8
> 
> Max Freeman wrote:
>> I have been working with FreeRadius and reading these threads for
>> sometime now trying to figure out how to properly configure and
>> implement EAP-TLS using ECDHE-ECDSA ciphers.  
> 
>  Set the right parameters for OpenSSL.
> 
>> I am writing because perhaps there is a FreeRadius setting/ concept that
>> I have been foolishly neglecting.
> 
>  All of the required OpenSSL setting are in the FreeRADIUS config
> files.  And documented there.
> 
>> The client (wpa_Supplicant) sends FreeRadius a Client Hello over TLS 1.0
>> (could perhaps cause problems with ECC?) and then FreeRadius Rejects it
>> because of and "SSL3_CLIENT_HELLO: no shared cipher."  However, I have
>> confirmed that the latest version of openssl supports my cipher.  
> 
>  Use wireshark to look at the packets.  It should be able to decode
> both sides of the EAP-TLS conversation, and show you which ciphers are
> being used.
> 
>> Does the EAP.conf/ FR have anything to do with Elliptic Curve's and
>> their shared cipher besides putting in "ALL" for the cipher and
>> "secptxxx" for the curve?
> 
>  That should be it.  Depending on OpenSSL magic, maybe "ALL" doesn't
> mean "ALL".  Try listing the ciphers explicitly.
> 
>> I have also confirmed through OpenSSL's   s_client/ s_server   program
>> that my certificates are set up properly and ONLY succeed with TLS1_2
>> and not TLS1.0 or TLS1.1.
> 
>  That tests the local OpenSSL.  It doesn't test the remote end.
> 
>  It's possible that the remote end doesn't support the ciphers.
> 
>  Alan DeKok.
> 
> 
> ------------------------------
> 
> Message: 3
> Date: Sat, 1 Nov 2014 16:24:53 +0200
> From: Isaac Boukris <iboukris at gmail.com>
> To: FreeRadius users mailing list
>    <freeradius-users at lists.freeradius.org>
> Subject: Re: 3.0.x rlm_sql mime encoding UTF8 characters
> Message-ID:
>    <CAC-fF8RjDSAn7U4418hstWnoF4=K_Tjau_e1MpyvJ=w6npXoyA at mail.gmail.com>
> Content-Type: text/plain; charset=UTF-8
> 
> Hi,
> 
>> On Mon, Oct 27, 2014 at 4:31 PM, Adam Hammond <adam.hammond at wicoms.com> wrote:
>> ...
>> 
>> My questions are:
>> 
>> Is there a way for me to get rlm_sql to accept UTF8 characters? Or even ignore that check (at my own risk)?
> 
> I was faced with the same problem today (version 2.5.5).
> 
> I managed to get it working by replacing the function
> 'sql_escape_func' in 'rlm_sql.c' with the function
> 'sql_utf8_escape_func' from 'rlm_sql_log.c' file.
> 
> This seems to pass basic tests, but I am not sure what are the
> implications of this change.
> 
> HTH,
> Isaac B.
> 
> 
> ------------------------------
> 
> Message: 4
> Date: Sat, 01 Nov 2014 16:46:53 +0100
> From: Matej ?erovnik <matej at zunaj.si>
> To: freeradius-users at lists.freeradius.org
> Subject: Re: Dailycounter not working
> Message-ID: <5455006D.9040409 at zunaj.si>
> Content-Type: text/plain; charset=windows-1252; format=flowed
> 
>> On 28.10.2014 21:26, Matej ?erovnik wrote:
>> 
>>> On 20.10.2014 23:40, Alan DeKok wrote:
>>> Matej ?erovnik wrote:
>>>>  Hello!
>>>> 
>>>> I'm trying to use dailycounter on a LDAP authenticated user and it
>>>> doesn't seem to work. I think I did all steps correctly, but then 
>>>> again,
>>>> i have been wrong before:)
>>> ...
>>>> rlm_sql (sql): Released sql socket id: 2
>>>> [sql] User testuser not found
>>>> ++[sql] returns notfound
>>>   The "testuser" isn't found.  So the sqlcounter module can't do it's
>>> job, because it doesn't know what value to use for the session limit.
> I posted this a while ago, but I'm trying my luck one more time if 
> anyone can point me to the right direction:
> 
> This is the part that is giving me troubles...
> My users exists in LDAP to which I don't have access, but I can 
> authenticate with UserDN.
> I added entry
> testuser Max-Daily-Session := 600
> to mysql radcheck table hoping radius will pick it up and use it in 
> 'dailycounter'.
> 
> Access-request packet looks like this:
> rad_recv: Access-Request packet from host 10.10.10.10 port 33651, id=75, 
> length=202
>         NAS-Port-Type = Wireless-802.11
>         Calling-Station-Id = "00:24:D7:47:1C:XX"
>         Called-Station-Id = "hs-kit-testing"
>         NAS-Port-Id = "bridge-bralci"
>         User-Name = "testuser"
>         NAS-Port = 2151677975
>         Acct-Session-Id = "80400017"
>         Framed-IP-Address = 192.168.81.198
>         Mikrotik-Host-IP = 192.168.81.198
>         User-Password = "password"
>         Service-Type = Login-User
>         WISPr-Logoff-URL = "http://192.168.81.1"
>         NAS-Identifier = "kit-testing"
>         NAS-IP-Address = 192.168.1.116
> 
> Can RADIUS use the username provided in access-request for the 
> sqldailycounter?
> Is that even suppose to work?
> Can I use 'dailycounter' on LDAP  authenticated users or does that only 
> work on local users, who are in sql database?
> 
> Matej
> 
> -- 
> ---
> Matej Zerovnik
> 
> 
> 
> ------------------------------
> 
> Message: 5
> Date: Sun, 2 Nov 2014 01:09:58 +0100 (MET)
> From: Jan Rafaj <jr-freeradius at cedric.unob.cz>
> To: freeradius-users at lists.freeradius.org
> Subject: Re: radius logs with garbage username
> Message-ID: <alpine.LNX.2.00.1411020109001.2774 at cedric.unob.cz>
> Content-Type: TEXT/Plain; format=flowed; charset=US-ASCII
> 
> 
>> On Wed, 29 Oct 2014, Rando Nakarmi wrote:
>> 
>> I have few fews which has garbage username, why does this happens ?
>> 
>> radiusd[367]: Login OK: [u2ttxxBZPlxGkGvGiM6lhPw==]
>> radiusd[369]: Login OK: [f2vnxxBZPlxGkGvGiM6lhPw==]
>> 
>> any help
> 
> Sounds like incorrectly configured mobile phones with Symbian OS.
> (If not configured correctly for WPAx-Enterprise, they tend to send
> identities with multiple delimiters, base64-encoded cert parts,
> and what not, in the User-Name...).
> 
> 
> 
> ------------------------------
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 
> End of Freeradius-Users Digest, Vol 115, Issue 3
> ************************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20141102/877497f0/attachment-0001.html>


More information about the Freeradius-Users mailing list