Troubleshooting EAP-TLS with External Certificates

Matthew West matthew.t.west at gmail.com
Sat Sep 10 00:53:35 CEST 2016


> > Would that remediate any security concerns, or would that still leave
> > room for abuse?
>
> You can start with a known good secure situation where you have
> control over all the variables, and do a little bit more work to
> really tighten it down. Or you could start from a know less secure
> situation where other people have control over your infrastructure,
> and try and patch it up to stop people getting in who shouldn't.
>
> Your choice... but I know which one I'd go for to make sure access
> to my network was secure.

Thanks for your input everyone.  I was assured the CA certificate we
are using is not a globally known CA and our e-mail/auth certificates
were issued with it.

The only issue I'm dealing with now is the space being present in the
User-Name .  I'm hoping with the right regular expression I can grab
only what we are to be expecting in the User-Name field (i.e 'User
Name'), although I see a few e-mail certificates that break this rule.

> On FreeRADIUS, look at OCSP in mods-available/eap, and
> sites-available/check-eap-tls (also in mods-available/eap).

OK, great.  That has everything I'm looking for.  Our PKI manager will
either issue me a CRL or I'll set up with OCSP.  Thank you all for
your help.  I'll let you know how everything turns out.

Enjoy your weekend!

Matthew West



On Fri, Sep 9, 2016 at 12:36 PM, Matthew Newton <mcn4 at leicester.ac.uk> wrote:
> On Fri, Sep 09, 2016 at 09:41:17AM -0700, Matthew West wrote:
>> To this, my technical lead on the project said:
>> ] Need to look at two things here –
>> ] * CRL checks – so that revoked certs do not authenticate
>> ] * Certificate Whitelist of sorts – So only our bunch of certs authenticate
>>
>> It is apparent that he understands the implication of using the
>> VeriSign chain as our CA. Is it possible to achieve a cert whitelist,
>> say, filter on the e-mail address presented in the certificate?
>
> On FreeRADIUS, look at OCSP in mods-available/eap, and
> sites-available/check-eap-tls (also in mods-available/eap).
>
>> Would that remediate any security concerns, or would that still leave
>> room for abuse?
>
> You can start with a known good secure situation where you have
> control over all the variables, and do a little bit more work to
> really tighten it down. Or you could start from a know less secure
> situation where other people have control over your infrastructure,
> and try and patch it up to stop people getting in who shouldn't.
>
> Your choice... but I know which one I'd go for to make sure access
> to my network was secure.
>
> Matthew
>
>
> --
> Matthew Newton, Ph.D. <mcn4 at leicester.ac.uk>
>
> Systems Specialist, Infrastructure Services,
> I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
>
> For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



More information about the Freeradius-Users mailing list