Troubleshooting EAP-TLS with External Certificates

Turner, Ryan H rhturner at email.unc.edu
Sat Sep 10 01:46:34 CEST 2016 

I don't like OSCP checks in radius.  It creates another opportunity to slow down the authentication process, and unless you tell it to fail open, if the responder is down, then no one can authenticate (at least I think that is so).  With that said, if you are supporting a commercial entity and not something academic, then you may have to go the extra mile.  If we need to block a user, we block the MAC address or username with NAC.  Not fool proof.  But also takes the burden away from radius, which can be pummeled from a lot of extra work.  

Ryan Turner
Manager of Network Operations, ITS
The University of North Carolina at Chapel Hill
+1 919 274 7926 Mobile
+1 919 445 0113 Office

On Sep 9, 2016, at 6:54 PM, Matthew West <matthew.t.west at gmail.com> wrote:

>>> Would that remediate any security concerns, or would that still leave
>>> room for abuse?
>> 
>> You can start with a known good secure situation where you have
>> control over all the variables, and do a little bit more work to
>> really tighten it down. Or you could start from a know less secure
>> situation where other people have control over your infrastructure,
>> and try and patch it up to stop people getting in who shouldn't.
>> 
>> Your choice... but I know which one I'd go for to make sure access
>> to my network was secure.
> 
> Thanks for your input everyone.  I was assured the CA certificate we
> are using is not a globally known CA and our e-mail/auth certificates
> were issued with it.
> 
> The only issue I'm dealing with now is the space being present in the
> User-Name .  I'm hoping with the right regular expression I can grab
> only what we are to be expecting in the User-Name field (i.e 'User
> Name'), although I see a few e-mail certificates that break this rule.
> 
>> On FreeRADIUS, look at OCSP in mods-available/eap, and
>> sites-available/check-eap-tls (also in mods-available/eap).
> 
> OK, great.  That has everything I'm looking for.  Our PKI manager will
> either issue me a CRL or I'll set up with OCSP.  Thank you all for
> your help.  I'll let you know how everything turns out.
> 
> Enjoy your weekend!
> 
> Matthew West
> 
> 
> 
>> On Fri, Sep 9, 2016 at 12:36 PM, Matthew Newton <mcn4 at leicester.ac.uk> wrote:
>>> On Fri, Sep 09, 2016 at 09:41:17AM -0700, Matthew West wrote:
>>> To this, my technical lead on the project said:
>>> ] Need to look at two things here –
>>> ] * CRL checks – so that revoked certs do not authenticate
>>> ] * Certificate Whitelist of sorts – So only our bunch of certs authenticate
>>> 
>>> It is apparent that he understands the implication of using the
>>> VeriSign chain as our CA. Is it possible to achieve a cert whitelist,
>>> say, filter on the e-mail address presented in the certificate?
>> 
>> On FreeRADIUS, look at OCSP in mods-available/eap, and
>> sites-available/check-eap-tls (also in mods-available/eap).
>> 
>>> Would that remediate any security concerns, or would that still leave
>>> room for abuse?
>> 
>> You can start with a known good secure situation where you have
>> control over all the variables, and do a little bit more work to
>> really tighten it down. Or you could start from a know less secure
>> situation where other people have control over your infrastructure,
>> and try and patch it up to stop people getting in who shouldn't.
>> 
>> Your choice... but I know which one I'd go for to make sure access
>> to my network was secure.
>> 
>> Matthew
>> 
>> 
>> --
>> Matthew Newton, Ph.D. <mcn4 at leicester.ac.uk>
>> 
>> Systems Specialist, Infrastructure Services,
>> I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
>> 
>> For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
>> -
>> List info/subscribe/unsubscribe? See https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fwww.freeradius.org%2flist%2fusers.html&data=01%7c01%7crhturner%40email.unc.edu%7c89d54ccd282b4f5bce5e08d3d90445af%7c58b3d54f16c942d3af081fcabd095666%7c1&sdata=g6oRCIiuESdclJpZ4yoJqobR2xiRFxPEYhEOXjg2rW0%3d
> 
> -
> List info/subscribe/unsubscribe? See https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fwww.freeradius.org%2flist%2fusers.html&data=01%7c01%7crhturner%40email.unc.edu%7c89d54ccd282b4f5bce5e08d3d90445af%7c58b3d54f16c942d3af081fcabd095666%7c1&sdata=g6oRCIiuESdclJpZ4yoJqobR2xiRFxPEYhEOXjg2rW0%3d

More information about the Freeradius-Users mailing list