Freeradius-Users Digest, Vol 205, Issue 1

thyde rndstudio.com thyde at rndstudio.com
Sun May 1 15:27:02 UTC 2022 

Alan -  thank you; that was the same path I was (kind of) working down (although I didn't show the explicit example), and it was giving me the unable to load module errors. From your example it dawned on me since I had used hyphens in the file and module names, perhaps the interpreter was being confused, so I used the "eap2" example to start more simply, but still get the same error:

/etc/freeradius/3.0/mods-enabled/eap2[2]: Failed to link to module 'rlm_eap2': /usr/lib/freeradius/rlm_eap2.so: cannot open shared object file: No such file or directory

(TL/DR: it's not the hyphens, it was contradictory information on how to replicate module sections from the documentation and past list info; additionally, avoid the use of the word "replicate" when searching documentation - that's a whole different beast. I will admit to the fact that putting "copy module" into the wiki for FR does return a single result and that information is relevant, but only AFTER you already know the solution; it's for OTP specifically, not generic.)

I did get this going with the nudge given by Alan, but for those watching:

It took a little more digging to get details, these helped me get more insight: https://lists.freeradius.org/pipermail/freeradius-users/2017-April/087371.html and https://fossies.org/linux/freeradius-server/raddb/mods-available/README.rst

If you find some search results that illustrate to copy the eap "module" and rename sections of it - don't copy the FILE as those instructions infer!

Copy the eap SECTION inside of mods-available/eap while still INSIDE of eap file, with renaming.
such as in mods-available/eap:
eap {
... }

eap SSID-A {
...}


And as the posts above indicate, in your sites-enabled/default (or whatever your actual server is) be sure to place a reference in the authenticate section as well as your actual call (Remember I'm doing EAP-TLS, so):
 if(Eap-Message) {

                # EAP-TLS with certificate, no u/p, no mac filter
                if (Aruba-Essid-Name == "mySSID-A") {
                        SSID-A
               }
...etc...

and further on:

authenticate {
...
 Auth-Type eap {
                eap {
...}
}
 Auth-Type SSID-A {
                SSID-A {
...}
}
...
}


Noting also that the hyphens in file and module names do not currently upset the interpreter.

Many thanks,
Ted.
________________________________
From: Freeradius-Users <freeradius-users-bounces+thyde=rndstudio.com at lists.freeradius.org> on behalf of freeradius-users-request at lists.freeradius.org <freeradius-users-request at lists.freeradius.org>
Sent: Sunday, May 1, 2022 8:00 AM
To: freeradius-users at lists.freeradius.org <freeradius-users at lists.freeradius.org>
Subject: Freeradius-Users Digest, Vol 205, Issue 1

Send Freeradius-Users mailing list submissions to
        freeradius-users at lists.freeradius.org

To subscribe or unsubscribe via the World Wide Web, visit
        https://lists.freeradius.org/mailman/listinfo/freeradius-users
or, via email, send a message with subject or body 'help' to
        freeradius-users-request at lists.freeradius.org

You can reach the person managing the list at
        freeradius-users-owner at lists.freeradius.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Freeradius-Users digest..."


Today's Topics:

   1. EAP-TLS separate client cert per ssid FR v3.0.17
      (thyde rndstudio.com)
   2. Re: EAP-TLS separate client cert per ssid FR v3.0.17 (Alan Buxey)


----------------------------------------------------------------------

Message: 1
Date: Sat, 30 Apr 2022 14:02:36 +0000
From: thyde rndstudio.com <thyde at rndstudio.com>
To: "freeradius-users at lists.freeradius.org"
        <freeradius-users at lists.freeradius.org>
Subject: EAP-TLS separate client cert per ssid FR v3.0.17
Message-ID:
        <SJ0PR19MB442956C3357B75B8EDD1D809B9FF9 at SJ0PR19MB4429.namprd19.prod.outlook.com>

Content-Type: text/plain; charset="utf-8"

Good morning,
I've been using FR for a number of years, with some "approved" and some "less than approved" configuration edits, but mostly with straightforward single CA, single client cert, EAP-TLS configuration, which has been outstanding. I have other configs where I add in EAP-TTLS or do mac auth, however what I would like to try next is EAP-TLS with multiple SSIDs, where there is a single separate cert per SSID.

Please note that the certs will have different issue dates, and may change per freeradius instance, so chaining client certs into a single file and trying to attack some cert property is not the preferred path, unless it is the ONLY path. It would make cert management difficult to say the least.

I have reviewed documentation to the best of my ability, however a lot of the searching (including on netrad) turned up solutions that were for prior versions of FR, with results for FR2 being most popular. I also see a number of posts/responses that ask if it can be done, where the response is "yes lot of people do it" -  but there is no actual instruction on how to do so. There are also snippets of earlier versions of FR3 prior the "tls-common" update, which attempting those breaks my current version, as one would expect. (As noted in subject, my FR version is 3.0.17)

So far, I have tried to replicate the eap module (mods-enabled/eap -> renaming both file and module) with no success as FR complains about my copied eap modules not being compiled (cannot fine {name}.so) - which I fully understand where that is coming from as a dev myself I'm not really interested in re-writing the eap module source just to accommodate this particular forced practice, of which I'm sure Alan would agree (just getting that taken care of early in the conversation).

Is there an example doc that could illustrate how to "properly" instruct the eap module to test only ClientCertA against SSID-A and only ClientCertB against ClientCertB? A test of ClientCertB attempting to associate on SSID-A must? fail.

I would like to retain the ability to also pre-test mac auth on some SSIDs before eap as I currently do in my default site (ie in sites-enabled/default) Currently I test against SSID and mac in my site/server: (inside authorize)

 if(Eap-Message) {

                # EAP-TLS with certificate, no u/p, no mac filter.
                if (Aruba-Essid-Name == "ALANSFREEWIFI") {
                        eap
               }
                # EAP-TLS with certificate, no u/p, WITH mac filter.
               elsif (Aruba-Essid-Name == "ALANSPROTECTEDNETWORK") {
                        if (Calling-Station-Id == "aabbccddeeff") {
                                eap
                        }

                }
etc...

and the eap module is currently stock aside from the certificate details; however in the above version, the same cert is on all clients - and that's not my optimal deployment choice.

Moving forward, should this test happen in the virt-server (ie in sites-enabled/default), or does the (mods-enabled/eap) get extended to test against the ssid and mac?

Kindest regards,
Ted.

------------------------------

Message: 2
Date: Sun, 1 May 2022 09:03:35 +0100
From: Alan Buxey <alan.buxey at gmail.com>
To: FreeRadius users mailing list
        <freeradius-users at lists.freeradius.org>
Subject: Re: EAP-TLS separate client cert per ssid FR v3.0.17
Message-ID:
        <CAOVYXj_wfJzffbXooqK_C4yG1ym5s_dqMPVP8tkuEKZ_B26-9g at mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"

Hi,

The easiest way is to just use inland,  change whichever ssid you want to
to call eg 'eap2' instead 'eap' and copy current eap module configuration
file to a new eap2 configuration file and edit it so that it's known as
eap2 . Then edit eap2 to provide/use new CA/cert/whatever

alan

On Sat, 30 Apr 2022, 15:02 thyde rndstudio.com, <thyde at rndstudio.com> wrote:

> Good morning,
> I've been using FR for a number of years, with some "approved" and some
> "less than approved" configuration edits, but mostly with straightforward
> single CA, single client cert, EAP-TLS configuration, which has been
> outstanding. I have other configs where I add in EAP-TTLS or do mac auth,
> however what I would like to try next is EAP-TLS with multiple SSIDs, where
> there is a single separate cert per SSID.
>
> Please note that the certs will have different issue dates, and may change
> per freeradius instance, so chaining client certs into a single file and
> trying to attack some cert property is not the preferred path, unless it is
> the ONLY path. It would make cert management difficult to say the least.
>
> I have reviewed documentation to the best of my ability, however a lot of
> the searching (including on netrad) turned up solutions that were for prior
> versions of FR, with results for FR2 being most popular. I also see a
> number of posts/responses that ask if it can be done, where the response is
> "yes lot of people do it" -  but there is no actual instruction on how to
> do so. There are also snippets of earlier versions of FR3 prior the
> "tls-common" update, which attempting those breaks my current version, as
> one would expect. (As noted in subject, my FR version is 3.0.17)
>
> So far, I have tried to replicate the eap module (mods-enabled/eap ->
> renaming both file and module) with no success as FR complains about my
> copied eap modules not being compiled (cannot fine {name}.so) - which I
> fully understand where that is coming from as a dev myself I'm not really
> interested in re-writing the eap module source just to accommodate this
> particular forced practice, of which I'm sure Alan would agree (just
> getting that taken care of early in the conversation).
>
> Is there an example doc that could illustrate how to "properly" instruct
> the eap module to test only ClientCertA against SSID-A and only ClientCertB
> against ClientCertB? A test of ClientCertB attempting to associate on
> SSID-A must? fail.
>
> I would like to retain the ability to also pre-test mac auth on some SSIDs
> before eap as I currently do in my default site (ie in
> sites-enabled/default) Currently I test against SSID and mac in my
> site/server: (inside authorize)
>
>  if(Eap-Message) {
>
>                 # EAP-TLS with certificate, no u/p, no mac filter.
>                 if (Aruba-Essid-Name == "ALANSFREEWIFI") {
>                         eap
>                }
>                 # EAP-TLS with certificate, no u/p, WITH mac filter.
>                elsif (Aruba-Essid-Name == "ALANSPROTECTEDNETWORK") {
>                         if (Calling-Station-Id == "aabbccddeeff") {
>                                 eap
>                         }
>
>                 }
> etc...
>
> and the eap module is currently stock aside from the certificate details;
> however in the above version, the same cert is on all clients - and that's
> not my optimal deployment choice.
>
> Moving forward, should this test happen in the virt-server (ie in
> sites-enabled/default), or does the (mods-enabled/eap) get extended to test
> against the ssid and mac?
>
> Kindest regards,
> Ted.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>


------------------------------

Subject: Digest Footer

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


------------------------------

End of Freeradius-Users Digest, Vol 205, Issue 1
************************************************

More information about the Freeradius-Users mailing list