using SSL certs with EAP-TLS

Stefan Winter stefan.winter at restena.lu
Mon Apr 4 11:45:32 CEST 2016 

Hi,

> In my FreeRadius setup for authenticating WiFi devices with EAP-TLS, I
> use server- and client SSL certificates from CA provider ' X '. I
> understand that now everyone with knowledge of this fact, can get a
> client SSL cert (PKCS#12) from this CA provider X and can authenticate
> with my WPA2 Enterprise network.

No. If your server certificate is from a CA, the client can verify that
your server is genuine (if the client side is configured correctly to
actually check CA and server name).

The *client* certificates /can/ come from the same CA or from a
different CA.

If you choose the same CA, then yes, you run into the issues below that
everybody who got a client certificate from that same CA can
authenticate to your network.

Since there's no need to go down that route: don't. Issue client
certificates from your own self-signed CA, and hand out client certs
only to your own account holders. Then, no further checks are needed.

> After reading the following from the README:
>
> "In general, you should use self-signed certificates for 802.1x (EAP)
> authentication.  When you list root CAs from other organisations in
> the "ca_file", you permit them to masquerade as you, to authenticate
> your users, and to issue client certificates for EAP-TLS."

Yep; that's good advice :-) It's written in a condensed way as it
touches both sides: it's better for the server certs to be from a
private CA/self-signed, and it is also better for the client certs to be
from a private CA.
> I would like to ask the following question. Is there something I can
> configure on the server side that only certain CommonName's and/or
> serial's can be used to authenticate correctly?

Yes. There are examples in the shipped tarball of FreeRADIUS for that I
think. That does not mean that it's the best idea to go down that route.

> Next to this question, I wonder why also a username (Benutzername) is
> asked in iOS when we use EAP-TLS with a certificate? I can fill out this
> field with whatever string and it authenticates in FreeRadius (when a
> correct cert is presented of course).
> screenshot:
> https://hilfe.uni-paderborn.de/images/thumb/4/4f/Eduroam_iOS7_04.png/250px-Eduroam_iOS7_04.png
>
> I run version 3.0.11 on Ubuntu 14.04 LTS 64bit.

It's about roaming support. It's a client issue and not for this list,
but anyway:

If no username is selected, iOS will copy the CN or the eMail field from
the cert and use that as username. /usually/ this already contains a
domain suffix which can be used for routing, and /usually/ that domain
matches the RADIUS realm settings.

Sometimes it doesn't - in which case the certificate would work locally,
but not in a roaming case where the request needs to be routed correctly.

Imagine a client cert with CN="Edward Ulysses Roam" - that's no good for
roaming. In this case, you need to configure a different username such
as "eduroam at uni-paderborn.de" so that the request gets routed correctly.

When you write above that you can use whatever string you like then
probably you didn't try this at a remote hotspot. :-)

Greetings,

Stefan Winter
>
> Thank you
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 827 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20160404/518a54b9/attachment.sig>

More information about the Freeradius-Users mailing list