Requesting guidance to understand all moving parts for RadSec + EAP-TLS

Dave Funk dbfunk at engineering.uiowa.edu
Sun Apr 20 18:24:47 UTC 2025 

What do you mean by:
'use for as anchor for the radius server certificate defined in certificate_file'

The radius server certificate pointed to by certificate_file (EG the thing you 
got from "Let's Encrypt") does not need to contain a 'anchor CA' component.
The only thing it should contain is the actual server "leaf" cert and any 
intermediate certs leading up to but not including the issuing root ("anchor"?) 
CA certificate.
The clients that connect to your radius server should have their own local copy 
of trusted CA certs that they use to validate your server's TTLS cert when they 
connect to your server.

The ca_file (or ca_dir) should contain CA certs that were used to issue any 
client TLS certs that you want to trust, it does not need to contain anything 
else.

On Sun, 20 Apr 2025, Yoann Gini wrote:

> Following recommendations I’m starting by EAP-TLS config first. 
>
> I have two question. 
>
> First, it seams that, in my understanding, the configuration key ca_file in mods-enabled/eap (Ubuntu) is both use for as anchor for the radius server certificate defined in certificate_file and as trusted authority for client authentication.
>
> Is there a way to use a different set here? My goal would be to use for the radius server a certificate from Let’s Encrypt, as any exposed Internet service (and to ease the server provisioning), and for the client authentication, my internal PKI.
>
> Is that doable? Or should I use only certificates from my PKI here?
>
>
> Then, I’m having some basic EAP-TLS setup that ends with the server side sending an Access-Challenge and now answer from the client. Network stack is UniFi network with a macOS client connected to the WiFi.
>
> Any recommendations for the troubleshooting steps needed when Access-Challenge is not answered?
>
>
> Here is the debug log
>
>
>
> (0) Received Access-Request Id 0 from <my_public_ip>:55641 to 172.31.4.143:1812 length 224
> (0)   User-Name = "y"
> (0)   NAS-IP-Address = 172.16.128.187
> (0)   NAS-Identifier = "6ad79a4ae1df"
> (0)   Called-Station-Id = "6A-D7-9A-4A-E1-DF:Test"
> (0)   NAS-Port-Type = Wireless-802.11
> (0)   Service-Type = Framed-User
> (0)   Calling-Station-Id = "8A-6C-88-1D-26-16"
> (0)   Connect-Info = "CONNECT 0Mbps 802.11a"
> (0)   Acct-Session-Id = "E6820D4A4AE32164"
> (0)   Acct-Multi-Session-Id = "B340C339DFD7F4B8"
> (0)   Mobility-Domain-Id = 45825
> (0)   WLAN-Pairwise-Cipher = 1027076
> (0)   WLAN-Group-Cipher = 1027076
> (0)   WLAN-AKM-Suite = 1027075
> (0)   Filter-Id = "wpa-eap"
> (0)   Framed-MTU = 1002
> (0)   EAP-Message = 0x020100060179
> (0)   Message-Authenticator = 0x2dc1e95d3c1a904277374839acf24474
> (0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
> (0)   authorize {
> (0)     [preprocess] = ok
> (0) auth_log: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
> (0) auth_log:    --> /var/log/freeradius/radacct/<my_public_ip>/auth-detail-20250420
> (0) auth_log: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/<my_public_ip>/auth-detail-20250420
> (0) auth_log: EXPAND %t
> (0) auth_log:    --> Sun Apr 20 16:52:55 2025
> (0)     [auth_log] = ok
> (0) suffix: Checking for suffix after "@"
> (0) suffix: No '@' in User-Name = "y", looking up realm NULL
> (0) suffix: No such realm "NULL"
> (0)     [suffix] = noop
> (0) eap: Peer sent EAP Response (code 2) ID 1 length 6
> (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
> (0)     [eap] = ok
> (0)   } # authorize = ok
> (0) Found Auth-Type = eap
> (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (0)   authenticate {
> (0) eap: EXPAND %{Calling-Station-Id}
> (0) eap:    --> 8A-6C-88-1D-26-16
> (0) eap: Peer sent packet with method EAP Identity (1)
> (0) eap: Calling submodule eap_tls to process data
> (0) eap_tls: (TLS) TLS -Initiating new session
> (0) eap_tls: (TLS) TLS - Setting verify mode to require certificate from client
> (0) eap: Sending EAP Request (code 1) ID 2 length 10
> (0) eap: EAP session adding &reply:State = 0xbf9ac2b0bf98cffa
> (0)     [eap] = handled
> (0)   } # authenticate = handled
> (0) Using Post-Auth-Type Challenge
> (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (0)   Post-Auth-Type Challenge {
> (0)     policy remove_reply_message_if_eap {
> (0)       if (&reply:EAP-Message && &reply:Reply-Message) {
> (0)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
> (0)       else {
> (0)         [noop] = noop
> (0)       } # else = noop
> (0)     } # policy remove_reply_message_if_eap = noop
> (0) attr_filter.access_challenge: EXPAND %{User-Name}
> (0) attr_filter.access_challenge:    --> y
> (0) attr_filter.access_challenge: Matched entry DEFAULT at line 12
> (0)     [attr_filter.access_challenge.post-auth] = updated
> (0)   } # Post-Auth-Type Challenge = updated
> (0) session-state: Saving cached attributes
> (0)   Framed-MTU = 1002
> (0) Sent Access-Challenge Id 0 from 172.31.4.143:1812 to <my_public_ip>:55641 length 68
> (0)   EAP-Message = 0x0102000a0da000000000
> (0)   Message-Authenticator = 0x00000000000000000000000000000000
> (0)   State = 0xbf9ac2b0bf98cffac710c0c9c10466bb
> (0) Finished request
> Waking up in 4.9 seconds.
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-- 
Dave Funk                               University of Iowa
<dbfunk (at) engineering.uiowa.edu>     College of Engineering
319/335-5751   FAX: 319/384-0549        1256 Seamans Center, 103 S Capitol St.
Sys_admin/Postmaster/cell_admin         Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{

More information about the Freeradius-Users mailing list