As freeradius validates the client certificate on an EAP-TLS connection and OCSP
Miguel Hinojosa
miguel.hinojosa at gruposothis.com
Tue Apr 11 16:46:03 CEST 2017
We are documenting the architecture and configuration of freeradius 3.0.11
deployed. We need confirmation on two doubts about EAP-TLS connection.
After documenting SSL Chain Verification and reviewing the Red Hat
Certificate System document, we want you to confirm that we are in the
correct assumption.
https://access.redhat.com/documentation/en-US/Red_Hat_
Certificate_System/8.0/html/Deployment_Guide/Introduction_
to_Public_Key_Cryptography-Certificates_and_Authentication.html#
Certificates_and_Authentication-How_CA_Certificates_Establish_Trust
Configuration:
- CA del server (/etc/pki/CApath.client) donde tenemos 1x rootCA.pem y
1x issuingCA-1.pem (issued by rootca.pem)
- server.pem issued by issuingCA-1.pem
- client cert issued by other issuingCA-2.pem (not on local CA of
freeradius server)
- issuingCA-2.pem issued by same rootCA.pem (same keyid too)
---
When the mentioned client with cert-client-issued-by-issuingCA-2.pem
try connecting to radius:
*Case 1: client sends issuingCA-2.pem certificate during ssl
negotiation. Although radius does not have it in your local CA, radius
will be able to complete the chain according to the
ssl-chain-verification documentation, the client's certificate is
signed by issuingCA-2 and signed by rootCA.pem that it does, correct?
*Case 2: client does not send the issuingCA-2.pem certificate, it will
not be able to complete the chain and should deny the connection,
right?
---
I understand that the OCSP server, if you send the certificate of the
intermediate CA will verify it as it does with the certificate of the
client.
But when freeradius checks the client's certificate via OCSP, does it
verify during the same connection (request) the certificate of the
intermediate CA?
Or is that done only at the checkpoint of the CRL?
==
**eap config
eap {
default_eap_type = peap
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = ${max_requests}
tls-config tls-common {
private_key_password =
private_key_file = ${certdir}/private/server.key
certificate_file = ${certdir}/certs/server.pem
dh_file = ${certdir}/private/dh
ca_path = ${cadir}
cipher_list = "DEFAULT"
ecdh_curve = "prime256v1"
cache {
enable = yes
max_entries = 255
}
verify {
skip_if_ocsp_ok = yes
tmpdir = /var/tmp/radiusd/verify
client = "/usr/bin/openssl verify -CApath
${..ca_path} -crl_check_all %{TLS-Client-Cert-Filename}"
}
ocsp {
enable = yes
timeout = 4
softfail = yes
}
}
tls {
tls = tls-common
virtual_server = check-eap-tls
}
peap {
tls = tls-common
default_eap_type = mschapv2
copy_request_to_tunnel = yes
use_tunneled_reply = yes
virtual_server = "inner-tunnel"
}
mschapv2 {
}
}
Thanks
Best regards
More information about the Freeradius-Users
mailing list