Freeradius and OpenLDAP certificates

marki jm+freeradiususer at roth.lu
Tue Oct 3 14:38:46 UTC 2023 

What do the logs say and what are you doing precisely?

If you use for instance EAP-TLS then the check is mutual and both client and server have to carry the corresponding CAs (incl. intermediate certs)

On October 3, 2023 4:34:36 PM GMT+02:00, Stefan Kania <stefan at kania-online.de> wrote:
>
>
>Am 03.10.23 um 16:12 schrieb Alan DeKok:
>> On Oct 3, 2023, at 10:05 AM, Stefan Kania <stefan at kania-online.de> wrote:
>>> I got Freeradius running with ldap-connection and Kerberos-authentication for searching the LDAP-tree.
>> 
>>    That's good.
>> 
>>> Authentication with radtest and a LDAP-user is working:
>> 
>>    That's good, but for future reference, you can't debug the server by looking at the client pass/fail output.  There's a lot more going on.
>> 
>>> Starting with OpenLDAP 2.5 you can create and manage user and host certificats with the overlay "autoca". You can copy your own CA and the key into OpenLDAP and then let OpenLDAP create the certificate and the key for users and hosts. The certificate will be stored in the attribute userCertificate;binary and userPrivateKey;binary the certificate is in DER-format. I now would like to use the certificates from OpenLDAP for authentication.
>>> 
>>> How can I use certificates located in OpenLDAP for user- and host- authentication?
>> 
>>    FreeRADIUS only needs the CA cert.  It doesn't need access to LDAP for all of the client certs.
>> 
>>    So put the CA cert into the FreeRADIUS configuration, and everything should just work.
>
>That's what I did. I put the ca-certificat and the key into the subdirectory certs/ that is working :-). But now I wold like to use client certificates instead of username+password. So both, the server certificate and the client-certificate are from the same CA. So the client sends it's certificate to the radius-server and the server checks wther the certifcate belongs to the client or not and checks that the certificate is valide with the root-certificate of my ca. Is this right?
>
>But what I'm looking for ist how to configure freeradius to only use certificates and not username+password. Or did I understood this txpe of authentication totally wrong :-(
>
>Stefan
>> 
>>    Alan DeKok.
>> 
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list