http://wiki.freeradius.org/EAP
You should be able to set ananymous as user name for outer tunnel EAP-TLS
negotiation on the supplicant and use EAP-TLS with identity hidden.
Ivan Kalik
Kalik Informatika ISP
Dana 9/12/2008, "Jason Wittlin-Cohen" <[EMAIL PROTECTED]> piše:
>I'm attempting to setup PEAPv0/EAP-TLS which uses EAP-TLS as the inner
>authentication method within PEAP. Unlike EAP-TLS, PEAPv0/EAP-TLS sends the
>client certificate within the secure SSL tunnel, thus protecting the user's
>identity. While RFC-5216 suggests that EAP-TLS can optionally support a
>privacy mode in which the client certificate is pushed through the SSL
>tunnel, I've not found any way to enable this option. I have no particual
>interest in using PEAPv0/EAP-TLS other than the fact that I know it does
>what I want to accomplish. I would be perfectly happy to use EAP-TLS in
>Privacy mode, or PEAPv0/MSCHAPv2 with a required client certificate.
>However, both these modes pass the client certificate in the clear.
>
>Here's what my testing has shown:
>
>EAP-TLS: Works with both Windows XP Supplicant and Juniper Odyssey Access
>Client 4.8
>PEAPv0/EAP-MSCHAPv2- Works with both Windows XP Supplicant and Juniper
>Odyssey Access Client 4.8
>PEAPv0/EAP-MSCHAPv2 + Requierd Client Certificate- Works with Juniper
>Odyssey Access Client 4.8 (XP Supplicant doesn't support MSCHAPv2 +
>Certificate)
>PEAPv0/EAP-TLS- Fails on both supplicants
>
>I don't think my TLS settings are improper, as both EAP-TLS and
>PEAPv0/MS-CHAPv2 + Client Certifciate work fine. The debug logs shows the
>client certificate verified properly.
>
>I've tried pretty much every combination of PEAP options, and after each
>permutation I forced a reauthentication so that I could analyze the packets
>in Wireshark. No combination of settings forced the client certificate
>through the SSL tunnel. I thought " use_tunneled_reply = yes" might
>help, but it did not.
>
>I have pasted the relevant configuration settings below as well as a full
>log of the failure when I attempt to use PEAPv0/EAP-TLS.
>The relevant settings: Other than "default_eap_type = "tls" my settings are
>identical for PEAPv0/EAP-MSCHAPv2 which works fine.
>
>The failure log seems to suggest that "tls" is not a supported
>authentication mode within PEAP.
>
>[files] users: Matched entry DEFAULT at line 200
>++[files] returns ok
>++[expiration] returns noop
>++[logintime] returns noop
>[pap] Found existing Auth-Type, not changing it.
>++[pap] returns noop
>Found Auth-Type = EAP
>+- entering group authenticate {...}
>*rlm_eap: No EAP session matching the State variable.*
>*[eap] Either EAP-request timed out OR EAP-response to an unknown
>EAP-request*
>[eap] Failed in handler
>++[eap] returns invalid
>Failed to authenticate the user.
>Login incorrect: [Jason Wittlin-Cohen] (from client Wireless port 0 via TLS
>tunnel)
>} # server inner-tunnel
>[peap] Got tunneled reply code 3
>[peap] Got tunneled reply RADIUS code 3
>[peap] Tunneled authentication was rejected.
>[peap] FAILURE
>
>*PEAPv0/EAP-TLS Failure Log: *http://pastebin.com/m900e269
>*PEAPv0/MSCHAPv2 Success Log:* http://pastebin.com/m16114697
>*PEAPv.0/MSCHAPv2+Cert Success Log: *http://pastebin.com/m429d9c12
>*EAP-TLS Success Log:* http://pastebin.com/m2b1c62f4
>
>Relevant Settings:
>
> eap {
>
> default_eap_type = "peap"
> timer_expire = 60
> ignore_unknown_eap_types = no
> cisco_accounting_username_bug = no
> max_sessions = 2048
> }
> Module: Linked to sub-module rlm_eap_tls
> Module: Instantiating eap-tls
> tls {
> rsa_key_exchange = no
> dh_key_exchange = yes
> rsa_key_length = 512
> dh_key_length = 3072
> verify_depth = 0
> pem_file_type = yes
> private_key_file = "/etc/freeradius/certs/server_key.pem"
> certificate_file = "/etc/freeradius/certs/server_cert.pem"
> CA_file = "/etc/freeradius/certs/cacert.pem"
> dh_file = "/etc/freeradius/certs/dh3072.pem"
> random_file = "/etc/freeradius/certs/random"
> fragment_size = 1024
> include_length = yes
> check_crl = no
> cipher_list = "HIGH"
> make_cert_command = "/etc/freeradius/certs/bootstrap"
> cache {
> enable = no
>
> peap {
> default_eap_type = "tls"
> copy_request_to_tunnel = no
> use_tunneled_reply = yes
> proxy_tunneled_request_as_eap = no
> virtual_server = "inner-tunnel"
> }
>
> Module: Linked to sub-module rlm_eap_mschapv2
> Module: Instantiating eap-mschapv2
> mschapv2 {
> with_ntdomain_hack = no
>
>modules mschap:
>
> Module: Instantiating mschap
> mschap {
> use_mppe = yes
> require_encryption = yes
> require_strong = yes
> with_ntdomain_hack = no
> }
>
>Users:
>
>"DEFAULT" Cleartext-Password := "**************************************",
>EAP-TLS-Require-Client-Cert := Yes
>
>Note: (*'s represent a 32 character randomly generated password)
>
>Thanks in advance,
>
>Jason
>
>--
>Jason Wittlin-Cohen
>Yale Law School, Class of 2010
>[EMAIL PROTECTED]
>
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
