Re: EAP-TLS: limiting client certs to a select group
On Wed, 16 Mar 2005 00:27:03 -0600, Jon Franklin <[EMAIL PROTECTED]> wrote: > On Wed, 16 Mar 2005 00:09:09 -0600, David Duchscher <[EMAIL PROTECTED]> wrote: > > I am a little behind you at the moment so really hoping this helps you. > > > > Have you set CA_path in the configuration file to point somewhere else? > > From the code, it looks like CA_path is set to default if you don't > > set it in the configuration file. > > I haven't. I may have misunderstood the comments in the eap.conf > file, but my take on it was that CA_path is used for crl checking. So > the only time I had that variable set to something meaningful was when > I also set check_crl = yes. And that caused all client certificate > validation to die horribly. > > I'll definitely check it out tomorrow, though, and post here with the results. Looks like this was exactly what I needed. I set CA_path to the directory where my CA cert is, and only certificates issued by my local CA are accepted. Here's that portion of the eap.conf: tls { private_key_password = dont-you-wish private_key_file = ${raddbdir}/certs/radiusSrvprivkey.pem certificate_file = ${raddbdir}/certs/radiusSrvprivkey.pem CA_file = ${raddbdir}/certs/demoCA/radiusRootcert.pem dh_file = ${raddbdir}/certs/dh random_file = ${raddbdir}/certs/random fragment_size = 1024 include_length = yes CA_path=${raddbdir}/certs/demoCA #check_crl = no check_cert_cn = %{User-Name} } Thank you so much for the tip! -- Jon Franklin [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS: limiting client certs to a select group
On Wed, 16 Mar 2005 00:09:09 -0600, David Duchscher <[EMAIL PROTECTED]> wrote: > I am a little behind you at the moment so really hoping this helps you. > > Have you set CA_path in the configuration file to point somewhere else? > From the code, it looks like CA_path is set to default if you don't > set it in the configuration file. I haven't. I may have misunderstood the comments in the eap.conf file, but my take on it was that CA_path is used for crl checking. So the only time I had that variable set to something meaningful was when I also set check_crl = yes. And that caused all client certificate validation to die horribly. I'll definitely check it out tomorrow, though, and post here with the results. -- Jon Franklin [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS: limiting client certs to a select group
On Tue, 15 Mar 2005 18:59:02 -0500, Alan DeKok <[EMAIL PROTECTED]> wrote: > Jon Franklin <[EMAIL PROTECTED]> wrote: > > On a follow-up to this, I found that the certificate I was using > > (Thawte Freemail Member) was being validated against a set of root > > certs in /usr/share/ssl/certs/ca-bundle.crt (I'm using Fedora Core 3, > > btw). > > There's probably some global OpenSSL config somewhere Does anyone here use EAP-TLS? How are you limiting the client certificates that freeradius will allow through? I guess if I can have a whitelist of clients in an sql database (or something to that effect) that can be checked _after_ EAP-TLS does its thing, that would work... Would it? I can't be the first person to have stumbled over this problem, can I? -- Jon Franklin [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS: limiting client certs to a select group
On Tue, 15 Mar 2005 13:40:18 -0600, Jon Franklin <[EMAIL PROTECTED]> wrote: > On Tue, 15 Mar 2005 14:00:08 +0100, Michael Riviera > <[EMAIL PROTECTED]> wrote: > > Jon Franklin wrote: > > On a follow-up to this, I found that the certificate I was using (Thawte Freemail Member) was being validated against a set of root certs in /usr/share/ssl/certs/ca-bundle.crt (I'm using Fedora Core 3, btw). If I remove that file, only the certificates issed by the CA listed in the file specified by CA_file in radiusd.conf are allowed by freeradius. So I'm getting much closer to a solution. I don't want to get rid of all the CA certs in /usr/share/ssl, and only want freeradius to use the root cert I specify in the CA_file line. Can anyone tell me how that's done? Or is it even possible? -- Jon Franklin [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS
On Tue, 15 Mar 2005 07:23:34 -0800 (PST), Lou Moore <[EMAIL PROTECTED]> wrote: > Can someone tell me what the error in SSLv3 read > client certificate below means? Thanks > TLS_accept: SSLv3 write server done A > TLS_accept: SSLv3 flush data > TLS_accept:error in SSLv3 read client certificate A > In SSL Handshake Phase > In SSL Accept mode > eaptls_process returned 13 > modcall[authenticate]: module "eap" returns handled > for request 67 A similar error appears in the EAP/TLS on XP Howto: http://3w.denobula.com:5/EAPTLS.html#_Toc32340179 Here's the output shown in that document: TLS_accept: SSLv3 write certificate request A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A rlm_eap_tls: SSL_read Error Error code is . 2 SSL Error . 2 In SSL Handshake Phase In SSL Accept mode modcall[authenticate]: module "eap" returns ok modcall: group authenticate returns ok Login OK: [KEN/] (from client 192.168.123.2 port 29 cli 000625039e69) Not sure if this helps, though... -- Jon Franklin [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS: limiting client certs to a select group
I tried using my own hand-generated SSL certs, as well as a set generated by the certs.sh script, and get the same type of problem. Question: if the CA_file certificate contains a private key, would this cause my problem? I don't think it has one, but can't say with certainty until I get in to work tomorrow and check it out. One clue I've been seeing is if I check_crl = yes, no certificate gets validated at all; set it to "no" and any client cert will allow the client into my network. Thanks! On Tue, 15 Mar 2005 00:21:19 +0100, Michael Riviera <[EMAIL PROTECTED]> wrote: > Use this in eap.conf: > > CA_file = /path/to/certs/ca-cert.pem > > ca-cert.pem should contain the certificate, but not private key, of your CA. > > Michael > > Jon Franklin wrote: > > >I've managed to get freeradius 1.0.1 working with EAP-TTLS, PEAP, and > >TLS (mostly), but I found that with EAP-TLS, I can use any client > >certificate I want, and freeradius will allow the client through. > >This presents a major security hole in my configuration, and I can't > >seem to figure out how to lock it down. > > > >Is there a way to configure freeradius to only accept client certs > >issued by a specific CA? Either that or only allow a specific set of > >certs (say, copies of the certs in a directory, for example), either > >way would be fine for my purposes. > > > > > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Jon Franklin [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TLS: limiting client certs to a select group
I've managed to get freeradius 1.0.1 working with EAP-TTLS, PEAP, and TLS (mostly), but I found that with EAP-TLS, I can use any client certificate I want, and freeradius will allow the client through. This presents a major security hole in my configuration, and I can't seem to figure out how to lock it down. Is there a way to configure freeradius to only accept client certs issued by a specific CA? Either that or only allow a specific set of certs (say, copies of the certs in a directory, for example), either way would be fine for my purposes. -- Jon Franklin [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html