Troubleshooting EAP-TLS with External Certificates
Alan DeKok
aland at deployingradius.com
Fri Sep 9 00:37:13 CEST 2016
On Sep 8, 2016, at 6:09 PM, Matthew West <matthew.t.west at gmail.com> wrote:
> Thank you for your help and direction while figuring out configuration
> of FreeRADIUS. You've been very helpful.
It's what we do.
> *** 1st Question: Are there any implications when removing the space
> filter from policy.d?
Yes. It means that users can log in as "bob" or "bob ". Depending on the database and other factors, they might be treated as different users, when they should be the same user.
The main reason someone puts spaces into a user name is they're trying to cheat you.
> In my attempts to get FreeRADIUS configured to work with e-mail/auth
> certificates (previously issued), I was given a new 'CA Cert' to use
> with our e-mail certificates. I am now successfully authenticating
> with the new CA file I was given and my e-mail certificate.
> Unfortunately, the 'User-Name' field was filled with 'User Name' with
> a space and failed the username field check. I removed the space
> filter from /etc/raddb/policy.d and I can now authenticate. (Output
> below).
That's stupid.
>> If you use a public CA then anyone else can get a cert signed by that CA for small change, they can then do eg evil twin etc attacks and badly configured clients will auth against them. ..thus giving them the users password (or easily cloud cracked mschap challenge/response)... many clients have basic security...eg only trust the CA. So local CA is the one way to ensure lowest common denominator is secure.
>
> *** 2nd Question: If my company uses an internal CA certificate that
> was issued/signed by Verisign and is bundled with the public CA's
> chain, are there security implications with using the bundle? (Output
> below)
You usually can't set the EAP supplicant (end user PC) to trust an intermediate CA. Often it's only the top-level CA. Which means that anyone *else* with a version certificate will be accepted by the EAP supplicant.
That's bad.
Alan DeKok.
More information about the Freeradius-Users
mailing list