I'm attempting to setup PEAPv0/EAP-TLS which uses EAP-TLS as the inner authentication method within PEAP. Unlike EAP-TLS, PEAPv0/EAP-TLS sends the client certificate within the secure SSL tunnel, thus protecting the user's identity. While RFC-5216 suggests that EAP-TLS can optionally support a privacy mode in which the client certificate is pushed through the SSL tunnel, I've not found any way to enable this option. I have no particual interest in using PEAPv0/EAP-TLS other than the fact that I know it does what I want to accomplish. I would be perfectly happy to use EAP-TLS in Privacy mode, or PEAPv0/MSCHAPv2 with a required client certificate. However, both these modes pass the client certificate in the clear.
Here's what my testing has shown: EAP-TLS: Works with both Windows XP Supplicant and Juniper Odyssey Access Client 4.8 PEAPv0/EAP-MSCHAPv2- Works with both Windows XP Supplicant and Juniper Odyssey Access Client 4.8 PEAPv0/EAP-MSCHAPv2 + Requierd Client Certificate- Works with Juniper Odyssey Access Client 4.8 (XP Supplicant doesn't support MSCHAPv2 + Certificate) PEAPv0/EAP-TLS- Fails on both supplicants I don't think my TLS settings are improper, as both EAP-TLS and PEAPv0/MS-CHAPv2 + Client Certifciate work fine. The debug logs shows the client certificate verified properly. I've tried pretty much every combination of PEAP options, and after each permutation I forced a reauthentication so that I could analyze the packets in Wireshark. No combination of settings forced the client certificate through the SSL tunnel. I thought " use_tunneled_reply = yes" might help, but it did not. I have pasted the relevant configuration settings below as well as a full log of the failure when I attempt to use PEAPv0/EAP-TLS. The relevant settings: Other than "default_eap_type = "tls" my settings are identical for PEAPv0/EAP-MSCHAPv2 which works fine. The failure log seems to suggest that "tls" is not a supported authentication mode within PEAP. [files] users: Matched entry DEFAULT at line 200 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} *rlm_eap: No EAP session matching the State variable.* *[eap] Either EAP-request timed out OR EAP-response to an unknown EAP-request* [eap] Failed in handler ++[eap] returns invalid Failed to authenticate the user. Login incorrect: [Jason Wittlin-Cohen] (from client Wireless port 0 via TLS tunnel) } # server inner-tunnel [peap] Got tunneled reply code 3 [peap] Got tunneled reply RADIUS code 3 [peap] Tunneled authentication was rejected. [peap] FAILURE *PEAPv0/EAP-TLS Failure Log: *http://pastebin.com/m900e269 *PEAPv0/MSCHAPv2 Success Log:* http://pastebin.com/m16114697 *PEAPv.0/MSCHAPv2+Cert Success Log: *http://pastebin.com/m429d9c12 *EAP-TLS Success Log:* http://pastebin.com/m2b1c62f4 Relevant Settings: eap { default_eap_type = "peap" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 2048 } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 3072 verify_depth = 0 pem_file_type = yes private_key_file = "/etc/freeradius/certs/server_key.pem" certificate_file = "/etc/freeradius/certs/server_cert.pem" CA_file = "/etc/freeradius/certs/cacert.pem" dh_file = "/etc/freeradius/certs/dh3072.pem" random_file = "/etc/freeradius/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "HIGH" make_cert_command = "/etc/freeradius/certs/bootstrap" cache { enable = no peap { default_eap_type = "tls" copy_request_to_tunnel = no use_tunneled_reply = yes proxy_tunneled_request_as_eap = no virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no modules mschap: Module: Instantiating mschap mschap { use_mppe = yes require_encryption = yes require_strong = yes with_ntdomain_hack = no } Users: "DEFAULT" Cleartext-Password := "**************************************", EAP-TLS-Require-Client-Cert := Yes Note: (*'s represent a 32 character randomly generated password) Thanks in advance, Jason -- Jason Wittlin-Cohen Yale Law School, Class of 2010 [EMAIL PROTECTED]
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html