AD Auth Question

Alan Buxey alan.buxey at gmail.com
Mon Jan 1 16:10:24 CET 2018


hi,

> So at this point I am beyond certain that I have valid certificates and that those are trusted.  The ca is the ca for the domain and the server certificate has the correct oid attributes to support the authentication, they paths on the server have been verified and as previously mentioned I have even used certs from my Windows NPS server on this server to make sure trust and certs were good.

if FR starts up, doesnt complain or chuck errors about certs (and in
the debug output you will see the file its reading) then the issue
lies elsewhere - could be an OpenSSL issue, could be
that the openssl libraries are not negotiating with your client correctly

> I think there is little disagreement that the issues on the challenge response part as comparing the trace and the event log of the client has the client generating the “Explicit Eap failure received”. When I mentioned disabling validation on the client I am referring to the need for the client to validate the trust of the certificates being used by the server i.e under the clients 802.1x profile on the security tab, properties and then the “Verify the server’s identity by validating the certificate”.  In this case I know the certificate I have specified is valid and issued from a trusted ca, my question really is how to I validate that FR is actually using the certificate and is generating valid data using the specified certificate as the behavior of the client seems to indicate that it is not as I know the following:

okay - easy check here - use the eapol_test (its part of the
wpa_supplicant package) - FreeRADIUS comes with example files to use
with eapol_test (in the src/tests directory of the main source code
archive)
take the relevant one - eg the PEAP test, modify to your requirements
and then use eapol_test with the local server cert saving option - you
will then see whats going on eg with eapol_test running on the FR
server itself

eapol_test -c eap-peap.conf -s testing123 -h localhost -o ca_cert.pem

(arguments might not be quite correct...this is from memory and last
time i used that command was a couple of months back)

now read/check that ca_cert.pem (openssl x509 -in ca_cert.pem -noout -text )

> 4. When viewing the certificate of FR on the client (file copy) the certificate indicates that it is trusted and has the correct extended use attributes

which store?

> I would use the certificates on NPS that I generated for FR to prove but the system would not use them as the name of that host does not match the certificate and you can’t specify a non matched certificate to be used in NPS.

note that host name has nothing to do with cert name in RADIUS/EAP
world - its just a certificate that is being presented to the client
which is checked locally for basic things - unlike eg
web (HTTPS) where DNS etc is used to check things match.

its usually a quite basic/overlooked thing that causes these initial
issues.....then you just carry on and forget about the issue until
something similar hits you the next time you create a server ;-)

alan



More information about the Freeradius-Users mailing list