PEAP correct client certificate
Alan DeKok
aland at deployingradius.com
Thu Nov 23 21:44:32 CET 2017
On Nov 23, 2017, at 3:38 PM, Oliver Tollning <oliver at tollning.com> wrote:
>
> Alright, I took your suggestions to heart and installed ubuntu+freeradius 3.0 from scratch.
That's good...
> configured the users and clients configs so that I can connect.
>
> Testing with peap: Access-Accept. OK
>
> Then used the CA.pl with
> -newca
> -newreq-nodes
> -sign
The server comes with scripts to create certs. See raddb/certs/
> Made a dh file and copied the random with dd to another folder for easier access
>
> eap.conf
> eap default_eap_type = peap
>
> tls-config tls-common
> put in the key file, certificate file, dh file, random file and ca file
>
> ca_path =/etc/freeradius/3.0/eap/eapCA/
>
> then enabled verify {
> tmpdir = /etc/freeradius/3.0/tmp
> client = "/usr/bin/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}"
> }
Which runs the external verification command... if there's a client certificate.
> no change in peap
> peap {
> tls = tls-common
> ....
> }
>
>
> Now if I start freeradius -X and connect I still get an Access-Accept even though my client doesnt have the correct client certificate (because I never created it).
That's exactly how it's supposed to work.
You didn't tell the server to require a client certificate. So it didn't.
> And if I scroll up in the debug mode I get a
> eap_peap: [eaptls verify] = ok
>
> Why does my server not verify the client correctly (or at all)
The server doesn't magically know that PEAP is supposed to have a client certificate. You have to tell it.
Put this into the "authorize" section of raddb/sites-enabled/default:
update control {
EAP-TLS-Require-Client-Cert = Yes
}
It's what I told you to do in a message a few days ago.
Following instructions helps you solve problems.
Alan DeKok.
More information about the Freeradius-Users
mailing list