Re: EAP + SSL + Certificate chains

[Trevor Jennings]

Hey I wanted to say thanks for the tips! I convinced the peers that it was
not a good idea to allow auto certificate acceptance and to just have the
clients accept it when the new certificate went online.

Cheers,

 - Trevor



On Thu, Sep 12, 2013 at 3:46 PM, Brian Julin  wrote:

> > Mathieu wrote:
> > At least from that side there is hope for improvements with Android 4.3
> > onwards there
> > are API calls for enterprise wireless configuration.
> >
> > Maybe "someone" steps up by making an application that can manage
> > profiles or something like this.
>
> That is promising, but I hope this does not become a case of
> "Oh, there's an app for that basic system function" versus it being in the
> core UI.  Because nobody will have it pre-installed.
>
> --
> Brian
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: EAP + SSL + Certificate chains

[Brian Julin]

> Mathieu wrote:
> At least from that side there is hope for improvements with Android 4.3
> onwards there
> are API calls for enterprise wireless configuration.
> 
> Maybe "someone" steps up by making an application that can manage
> profiles or something like this.

That is promising, but I hope this does not become a case of
"Oh, there's an app for that basic system function" versus it being in the
core UI.  Because nobody will have it pre-installed.

--
Brian
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: EAP + SSL + Certificate chains

[Brian Julin]

> Trevor Jennings wrote:
 
>  We are using freeradius with EAP/SSL and although it is working fine, I was
> wondering if there was a way to prevent the user from getting the prompt to
> accept the certificate? I have combined the intermediate and server
> certificates to one file and used that file in the 'certificate_file' config 
> in
> eap.conf.
> 
> On OSX, the certificates are marked as valid, including the root, intermediate
> and server, but still prompts the user to accept. Is there a way around this?

About the only way I can think of is to install a profile (.mobileconfig) which
pre-approves the use of that certificate authority.  Reason being, if you just
accept any old certificate authority any compromised certificate will work, and
on newer OSX/iOS the only way to check the certificate subject for the name
of your RADIUS server. which is a better option for patching the hole, is to 
install
a profile, anyway.  So really, this means without prompting the user, any stolen
key for any unrevoked certificate from any CA in that entire list, worldwide, 
could
be used to launch a MITM attack and steal passwords or other data.  This is not
a particularly difficult object to get your hands on.

(Incidentally this is why many environments do not like having Android devices
on their wireless LANs since they don't have any such native options accessible
from the UI or even a decent way to distribute profiles.  Heck they don't even
fake it by making the first certificate they see sticky.  The first time warez 
to
perform an MITM on WPA2-Enterprise is packaged in a way that any old
script kiddie can use, there will be pain.)

--
Brian Julin
Network Administrator
Clark University
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP + SSL + Certificate chains

[Mathieu Simon]

2013/9/12 Brian Julin 

>
> > Trevor Jennings wrote:
>
> [...]
>
> > On OSX, the certificates are marked as valid, including the root,
> intermediate
> > and server, but still prompts the user to accept. Is there a way around
> this?
>
> About the only way I can think of is to install a profile (.mobileconfig)
> which
> pre-approves the use of that certificate authority.

If you want to make things all nice and green-looking for your end-users
seek for
mobileconfig signing. TERENA has a good example how to do this for eduroam:
https://confluence.terena.org/display/tcs/Sign+Apple+mobileconfig+files

 Reason being, if you just
> accept any old certificate authority any compromised certificate will
> work, and
> on newer OSX/iOS the only way to check the certificate subject for the name
> of your RADIUS server.

And as you mention OS X, yes the same .mobileconfig for iOS will work for
OS X 10.7 onwards,
which was a quite nice thing in my environment to know.


> [...]



>

(Incidentally this is why many environments do not like having Android
> devices
> on their wireless LANs since they don't have any such native options
> accessible
> from the UI or even a decent way to distribute profiles.


At least from that side there is hope for improvements with Android 4.3
onwards there
are API calls for enterprise wireless configuration.

Maybe "someone" steps up by making an application that can manage profiles
or something like this.

 Heck they don't even fake it by making the first certificate they see
> sticky.

Worse... ;-)

It's up to the user to install the CA certificate on its own - even if that
is a public CA in the Android,
they can't select them otherwise (!) . At least then authentication stops
if you put up a server certificate
not signed by that specified CA.

The only open source provisioning tool for Android (that I believe didn't
get much traction) SU1X for Android,
made by Swansea University for eduroam.

-- Mathieu
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

EAP + SSL + Certificate chains

[Trevor Jennings]

Hello,

 We are using freeradius with EAP/SSL and although it is working fine, I
was wondering if there was a way to prevent the user from getting the
prompt to accept the certificate? I have combined the intermediate and
server certificates to one file and used that file in the
'certificate_file' config in eap.conf.

On OSX, the certificates are marked as valid, including the root,
intermediate and server, but still prompts the user to accept. Is there a
way around this?

Cheers,

 - Trevor
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Intermediate SSL certificate

[Mathieu Simon]

Hi Matthew

2013/8/22 Matthew Ceroni 
>
>
> I read that for FreeRadius just combine the cert with the intermediate
> cert into one file and then reference that in eap.conf:certificate_file.
>
> I have done that but clients are still failing certificate validation.
>

Honestly I also had some hassles with the certificate chain, now we
can configure clients to check both CA as well as certificate CN.

My experience was that I had to honor the certificate order and make sure
to not include
unused intermediate certificates. That is: Don't include a full CA bundle
from your CA stay
way below the 64k limit (
http://wiki.freeradius.org/guide/Certificate%20Compatibility)

I used OpenSSL to show both subject and issuer go through the chain of
trust starting with
the server certificate, which in my case was StartCom.
You'll need to know where you can download all root and intermediate roots
from your issuing CA.

openssl x509 -noout -in mysignedservercert.pem -subject -issuer
 subject= 
 issuer= /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
Signing/CN=StartCom Class 2 Primary Intermediate Server CA

After getting the Class 2 Primary Intermediate Server CA:
$ openssl x509 -noout -in sub.class2.server.ca.pem -subject -issuer
 subject= /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
Signing/CN=StartCom Class 2 Primary Intermediate Server CA
 issuer= /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
Signing/CN=StartCom Certification Authority

And finally we're up in the chain:
$ openssl x509 -noout -in ca.pem -subject -issuer
 subject= /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
Signing/CN=StartCom Certification Authority
 issuer= /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
Signing/CN=StartCom Certification Authority

# Build the cert bundle for freeradius
cat mysignedservercert.pem > myservercert-roots-bundled.pem
cat sub.class2.server.ca.pem >> myservercert-roots-bundled.pem
cat ca.pem >> myservercert-roots-bundled.pem

This resulted in an 8k file while StartSSL's CA bundle is 124k.

-- Mathieu
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Intermediate SSL certificate

[Matthew Ceroni]

I am having an issue with intermediate SSL certificate and clients
failing to validate the certificate.

When using intermediate certs in for instance Apache there is a
separate directive where you specify the intermediate certs. Then as
part of the SSL handshake those certs are sent along to the client.

I read that for FreeRadius just combine the cert with the intermediate
cert into one file and then reference that in
eap.conf:certificate_file.

I have done that but clients are still failing certificate validation.

Any help would be appreciated.

Thanks
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: certificate expiration proble

[stefan.paetow]

Have you opened the certificates you believe to be the latest in something else 
(like Windows perhaps) and checked that the expiry dates of these certificates 
is correct?

And have you checked that your server's time is correct too?

Stefan


From: 
freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org<mailto:freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org>
 
[mailto:freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org]
 On Behalf Of Muhammad Nadeem
Sent: 19 July 2013 11:24
To: FreeRadius users mailing list
Subject: Re: certificate expiration proble

thanx for you reply, but as i said certificates are ok. Please see this log

[tls] --> User-Name = 
0026826172C4@test_cpe.com<mailto:0026826172C4@test_cpe.com>
[tls] --> BUF-Name = wi-tribe Pakistan Certification Authority
[tls] --> subject = /C=PK/ST=Fedral Capital/L=Islamabad/O=wi-tribe Pakistan 
limited/OU=Network Operations/CN=wi-tribe Pakistan Certification 
Authority/emailAddress=pkwi...@pk.wi-tribe.com<mailto:pkwi...@pk.wi-tribe.com>
[tls] --> issuer  = /C=PK/ST=Fedral Capital/L=Islamabad/O=wi-tribe Pakistan 
limited/OU=Network Operations/CN=wi-tribe Pakistan Certification 
Authority/emailAddress=pkwi...@pk.wi-tribe.com<mailto:pkwi...@pk.wi-tribe.com>
[tls] --> verify return:1
--> verify error:num=10:certificate has expired
[tls] >>> TLS 1.0 Alert [length 0002], fatal certificate_expired
TLS Alert write:fatal:certificate expired
TLS_accept: error in SSLv3 read client certificate B
rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no 
certificate returned

thanks

On Fri, Jul 19, 2013 at 2:58 PM, 
mailto:a.l.m.bu...@lboro.ac.uk>> wrote:
Hi,

>I am trying to configure eap with some customized certificates, I have
>configured eap.config correctly.
>But I am getting the error of "certificate expired". Although i have the
>latest certificates.
certificate has expired. FreeRADIUS has no reason to lie.

check the startup output of 'radiusd -X' - look for when it loads the certs.
then use openssl to read those certs to see what the values are - server cert,
CA certor client cert. whatever you're using eg

openssl x509 -in server.pem -noout -text

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



--
Best Regards
Muhammad Nadeem
Muhammad Ali Jinnah University



-- 

This e-mail and any attachments may contain confidential, copyright and or 
privileged material, and are for the use of the intended addressee only. If you 
are not the intended addressee or an authorised recipient of the addressee 
please notify us of receipt by returning the e-mail and do not use, copy, 
retain, distribute or disclose the information in or attached to the e-mail.

Any opinions expressed within this e-mail are those of the individual and not 
necessarily of Diamond Light Source Ltd. 

Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments 
are free from viruses and we cannot accept liability for any damage which you 
may sustain as a result of software viruses which may be transmitted in or with 
the message.

Diamond Light Source Limited (company no. 4375679). Registered in England and 
Wales with its registered office at Diamond House, Harwell Science and 
Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom

 







-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: certificate expiration proble

[Muhammad Nadeem]

thanx for you reply, but as i said certificates are ok. Please see this log

[tls] --> User-Name = 0026826172C4@test_cpe.com
[tls] --> BUF-Name = wi-tribe Pakistan Certification Authority
[tls] --> subject = /C=PK/ST=Fedral Capital/L=Islamabad/O=wi-tribe Pakistan
limited/OU=Network Operations/CN=wi-tribe Pakistan Certification
Authority/emailAddress=pkwi...@pk.wi-tribe.com
[tls] --> issuer  = /C=PK/ST=Fedral Capital/L=Islamabad/O=wi-tribe Pakistan
limited/OU=Network Operations/CN=wi-tribe Pakistan Certification
Authority/emailAddress=pkwi...@pk.wi-tribe.com
*[tls] --> verify return:1*
*--> verify error:num=10:certificate has expired *
*[tls] >>> TLS 1.0 Alert [length 0002], fatal certificate_expired  *
*TLS Alert write:fatal:certificate expired*
*TLS_accept: error in SSLv3 read client certificate B*
*rlm_eap: SSL error error:140890B2:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned*
*
*
*thanks*


On Fri, Jul 19, 2013 at 2:58 PM,  wrote:

> Hi,
>
> >I am trying to configure eap with some customized certificates, I have
> >configured eap.config correctly.
> >But I am getting the error of "certificate expired". Although i have
> the
> >latest certificates.
>
> certificate has expired. FreeRADIUS has no reason to lie.
>
> check the startup output of 'radiusd -X' - look for when it loads the
> certs.
> then use openssl to read those certs to see what the values are - server
> cert,
> CA certor client cert. whatever you're using eg
>
> openssl x509 -in server.pem -noout -text
>
> alan
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>



-- 
Best Regards
Muhammad Nadeem
Muhammad Ali Jinnah University
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: certificate expiration proble

[A . L . M . Buxey]

Hi,

>I am trying to configure eap with some customized certificates, I have
>configured eap.config correctly. 
>But I am getting the error of "certificate expired". Although i have the
>latest certificates.

certificate has expired. FreeRADIUS has no reason to lie.

check the startup output of 'radiusd -X' - look for when it loads the certs.
then use openssl to read those certs to see what the values are - server cert,
CA certor client cert. whatever you're using eg

openssl x509 -in server.pem -noout -text

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: OCSP parsing in client certificate

[Beltramini Francesco]

Thanks for the explanation. 

I know that you didn't implement openssl :-), however, as I said and running it 
manually, openssl does say that there is OCSP information on the certificate.

[root@host ~]# openssl x509 -in beltraminif.cer -noout -ocspid -ocsp_uri
returns the correct value http://crl.ema.europa.eu/ocsp

Thanks,

F.



-Original Message-
From: 
freeradius-users-bounces+francesco.beltramini=ema.europa...@lists.freeradius.org
 
[mailto:freeradius-users-bounces+francesco.beltramini=ema.europa...@lists.freeradius.org]
 On Behalf Of Alan DeKok
Sent: 19 April 2013 18:31
To: FreeRadius users mailing list
Subject: Re: OCSP parsing in client certificate

Beltramini Francesco wrote:
> Ok I see what you mean. 
> However, in my first mail I've also specified that: 
> 
> openssl x509 -in beltraminif.cer -noout -ocspid -ocsp_uri returns 
> http://crl.ema.europa.eu/ocsp (which is the correct url)
> 
> Do you know what kind of parsing is radius asking to openssl ? 

  The normal OpenSSL certificate parsing.

  We didn't implement OpenSSL, and we don't know a lot about it.  If OpenSSL 
says there's no OCSP information in the certs, it's an OpenSSL issue.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


This e-mail has been scanned for all known viruses by European Medicines Agency.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: OCSP parsing in client certificate

[Alan DeKok]

Beltramini Francesco wrote:
> Ok I see what you mean. 
> However, in my first mail I've also specified that: 
> 
> openssl x509 -in beltraminif.cer -noout -ocspid -ocsp_uri 
> returns 
> http://crl.ema.europa.eu/ocsp (which is the correct url) 
> 
> Do you know what kind of parsing is radius asking to openssl ? 

  The normal OpenSSL certificate parsing.

  We didn't implement OpenSSL, and we don't know a lot about it.  If
OpenSSL says there's no OCSP information in the certs, it's an OpenSSL
issue.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: OCSP parsing in client certificate

[Beltramini Francesco]

Ok I see what you mean. 
However, in my first mail I've also specified that: 

openssl x509 -in beltraminif.cer -noout -ocspid -ocsp_uri 
returns 
http://crl.ema.europa.eu/ocsp (which is the correct url) 

Do you know what kind of parsing is radius asking to openssl ? 

Thanks, 

Francesco Beltramini


-Original Message-
From: 
freeradius-users-bounces+francesco.beltramini=ema.europa...@lists.freeradius.org
 
[mailto:freeradius-users-bounces+francesco.beltramini=ema.europa...@lists.freeradius.org]
 On Behalf Of Alan DeKok
Sent: 19 April 2013 13:04
To: FreeRadius users mailing list
Subject: Re: OCSP parsing in client certificate

Beltramini Francesco wrote:
> Alan: does the change log refer to certificates without the proper extensions 
> defined ? Because my situation is slightly different, the clients present a 
> certificate that does contain the OCSP properties. 

  See the debug log.  OpenSSL doesn't think so.  It was showing "(null)"
for the various OCSP fields.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


This e-mail has been scanned for all known viruses by European Medicines Agency.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: OCSP parsing in client certificate

[Alan DeKok]

Beltramini Francesco wrote:
> Alan: does the change log refer to certificates without the proper extensions 
> defined ? Because my situation is slightly different, the clients present a 
> certificate that does contain the OCSP properties. 

  See the debug log.  OpenSSL doesn't think so.  It was showing "(null)"
for the various OCSP fields.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to configure RADIUS +LDAP using SASL/Certificate based binding instead of usernames and passwords

[Olivier Beytrison]

On 19.04.2013 10:35, pramod kulkarni wrote:
> Thanks for the reply.
>  
> I am new to FreeRadius and doing analysis on how to remove The
> "identity" and "password" attributes of LDAP module in
> radiusd.config and still be able to authenticate and authorize LDAP users.

Is that really an issue for you ? set restrictive permission on the file
so that only root and freeradius can read the admin credentials for the
ldap server. And do not let people log as root. Everyone do that. It
works fine.

> Is there any other option/configuration to avoid usernames and plain
> text passwords in the module ldap of radiusd.conf for authenticating and
> authorizing users of LDAP database ?

Afaik no

> I tried EAP-TLS method but didn't get proper result,can I use LDAP as
> database for EAP-TLS method,as one of forum answers is no
>  http://freeradius.1045715.n5.nabble.com/EAP-TLS-LDAP-tt2750042.html#a2750045

That's something else. EAP-TLS is how the user authenticate to the
radius server. Not how the radius server bind to the ldap server.

BUT you could do EAP-TLS without user/password (for the user) and check
the validity of the certificate against an LDAP server that allows to
retrieve those information anonymously (removing the need to have
credentials written in the ldap module). But then it's your ldap server
who can leak informations.

>  I would like to use a certificate (admin) to bind to the LDAP database
> using FreeRadius because admin has the authority to traverse the LDAP tree.

Not supported at the moment.

>  After binding using certificate i would like to  Authenticate different
> users of LDAP using "radclient.exe -d ..\etc\raddb -f radtest.txt -x -s
> 127.0.0.1 auth testing1"

This will work with radclient which do PAP. This won't work with
wireless client who does EAP.

> if as per replies only LDAP simpile bind is possible ,how to compile
> OpenLDAP+SASL+FreeRadius on Windows only through cygwin ? or any other
> option

If you do PAP and want to authenticate against your ldap, the only
option is simple-bind at the moment. As usual, "Patches Welcome".
As for compiling on cygwin, I can't tell you if that's supported nor
working.

On a final note, people have been using ldap with credentials in a file
for ages. It's down to the security of the server and the filesystem
permission to ensure that only authorized users can access this file.

Olivier
-- 

 Olivier Beytrison
 Network & Security Engineer, HES-SO Fribourg
 Mail: oliv...@heliosnet.org
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to configure RADIUS +LDAP using SASL/Certificate based binding instead of usernames and passwords

[pramod kulkarni]

Thanks for the reply.

I am new to FreeRadius and doing analysis on how to remove The "identity"
and "password" attributes of LDAP module in radiusd.config and still be
able to authenticate and authorize LDAP users.

Is there any other option/configuration to avoid usernames and plain
text passwords in the module ldap of radiusd.conf for authenticating and
authorizing users of LDAP database ?

I tried EAP-TLS method but didn't get proper result,can I use LDAP as
database for EAP-TLS method,as one of forum answers is no

http://freeradius.1045715.n5.nabble.com/EAP-TLS-LDAP-tt2750042.html#a2750045

 I would like to use a certificate (admin) to bind to the LDAP database
using FreeRadius because admin has the authority to traverse the LDAP tree.

 After binding using certificate i would like to  Authenticate different
users of LDAP using "radclient.exe -d ..\etc\raddb -f radtest.txt -x -s
127.0.0.1 auth testing1"

if as per replies only LDAP simpile bind is possible ,how to compile
OpenLDAP+SASL+FreeRadius on Windows only through cygwin ? or any other
option

 please advice me I am wrong.
Waiting for your inputs.

Regards,
Pramod






On Wed, Apr 10, 2013 at 8:34 PM, Arran Cudbard-Bell <
a.cudba...@freeradius.org> wrote:

> > There are other ways to establish the trust between radiusd and LDAP
> beside simple binds which do not involve passwords. All of these use SASL
> in some form. Unfortunately rlm_ldap does not support them. I know Alan
> rewrote rlm_ldap recently for the upcoming 3.0 version,
> > I don't know if SASL support was added or not. In any event this is an
> open source project and if you want this functionality then the usual
> mantra "Patches Welcome" applies.
>
> No it wasn't.
>
> -Arran
>
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: OCSP parsing in client certificate

[Beltramini Francesco]

Thanks for your feedback. 
I don't think either that the override_cert_url = no works properly since the 
ocsp extension in the client certificate is not parsed anyway. 
Alan: does the change log refer to certificates without the proper extensions 
defined ? Because my situation is slightly different, the clients present a 
certificate that does contain the OCSP properties. 

Thanks and Regards,

Francesco Beltramini

-Original Message-
From: 
freeradius-users-bounces+francesco.beltramini=ema.europa...@lists.freeradius.org
 
[mailto:freeradius-users-bounces+francesco.beltramini=ema.europa...@lists.freeradius.org]
 On Behalf Of Matthew Newton
Sent: 16 April 2013 21:56
To: FreeRadius users mailing list
Subject: Re: OCSP parsing in client certificate

On Tue, Apr 16, 2013 at 04:30:18PM -0400, Alan DeKok wrote:
> Beltramini Francesco wrote:
> > but when I try to remove this feature and use the OCSP property 
> > extracted from the client certificate, the radiusd -X output is:
> > 
> > [tls] --> Starting OCSP Request
> > [ocsp] --> Responder URL = http://(null):(null)(null)
> 
>   From the v2.2.0 change log:
> 
>   * Skip OCSP if there's no host / port / url, with soft_fail

Hmm - I'm not sure if the override_cert_url = no code works correctly - I seem 
to remember I had problems with it, but I just set it to yes and forced the 
server anyway, as it seemed better than trusting the client-provided cert (our 
setup is private CA, so I know what the OCSP server is). I think I saw the same 
- that it wouldn't extract the URL from the cert, and just came back with 
(null)s. As usual, I just blamed OpenSSL and moved on.

If I get a chance, I'll try and check it again.

soft_fail will allow the auth to succeed in the event that there is no response 
(rather than a negative response) from the OCSP server - otherwise it "fails 
safe" and rejects the request. It's in case the OCSP server happens to be down 
for some reason.

>   Upgrade.

Always the right thing anyway :-)

Cheers,

Matthew


--
Matthew Newton, Ph.D. 

Systems Specialist, Infrastructure Services, I.T. Services, University of 
Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, 
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


This e-mail has been scanned for all known viruses by European Medicines Agency.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: OCSP parsing in client certificate

[Matthew Newton]

On Tue, Apr 16, 2013 at 04:30:18PM -0400, Alan DeKok wrote:
> Beltramini Francesco wrote:
> > but when I try to remove this feature and use the OCSP
> > property extracted from the client certificate, the radiusd -X
> > output is:
> > 
> > [tls] --> Starting OCSP Request
> > [ocsp] --> Responder URL = http://(null):(null)(null)
> 
>   From the v2.2.0 change log:
> 
>   * Skip OCSP if there's no host / port / url, with soft_fail

Hmm - I'm not sure if the override_cert_url = no code works
correctly - I seem to remember I had problems with it, but I just
set it to yes and forced the server anyway, as it seemed better
than trusting the client-provided cert (our setup is private CA,
so I know what the OCSP server is). I think I saw the same - that
it wouldn't extract the URL from the cert, and just came back with
(null)s. As usual, I just blamed OpenSSL and moved on.

If I get a chance, I'll try and check it again.

soft_fail will allow the auth to succeed in the event that there
is no response (rather than a negative response) from the OCSP
server - otherwise it "fails safe" and rejects the request. It's
in case the OCSP server happens to be down for some reason.

>   Upgrade.

Always the right thing anyway :-)

Cheers,

Matthew


-- 
Matthew Newton, Ph.D. 

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, 
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: OCSP parsing in client certificate

[Alan DeKok]

Beltramini Francesco wrote:
> I have a small/big issue and I cannot find a good solution for that.
> Scenario: 
> iPhones with certificates from internal PKI, joining a Wi-Fi network 
> protected by WPA2-Enterprise authenticating against a Freeradius server v. 
> 2.1.12 (Redhat 6.3). 
...
> but when I try to remove this feature and use the OCSP property extracted 
> from the client certificate, the radiusd -X output is:
> 
> [tls] --> Starting OCSP Request
> [ocsp] --> Responder URL = http://(null):(null)(null)

  From the v2.2.0 change log:

* Skip OCSP if there's no host / port / url, with soft_fail

  Upgrade.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

OCSP parsing in client certificate

[Beltramini Francesco]

Dear all, 

I have a small/big issue and I cannot find a good solution for that.
Scenario: 
iPhones with certificates from internal PKI, joining a Wi-Fi network protected 
by WPA2-Enterprise authenticating against a Freeradius server v. 2.1.12 (Redhat 
6.3). The radius server has as well an internal PKI certificate and the 
authentication used is EAP-TLS. 
No CRL/OCSP implementation on the first stage. Everything is working fine, the 
mobile device is configure to accept the radius certificate and the peers can 
therefore mutually authenticate each other. 

I then configured a Microsoft OCSP array to implement client certificate status 
checking on the radius server. 
When "override_cert_url = yes" in the OCSP section in eap.conf is configured to 
override the responder URL, everything is fine and radius get correct 
responses, 

[tls] --> verify return:1
[tls] --> Starting OCSP Request
[ocsp] --> Responder URL = http://crl.ema.europa.eu:80/ocsp
[ocsp] --> Response status: successful
This Update: Apr 16 09:50:00 2013 GMT
Next Update: Apr 17 22:10:00 2013 GMT
[oscp] --> Cert status: good
[ocsp] --> Certificate is valid!
[tls] chain-depth=0,

but when I try to remove this feature and use the OCSP property extracted from 
the client certificate, the radiusd -X output is:

[tls] --> Starting OCSP Request
[ocsp] --> Responder URL = http://(null):(null)(null)
Error: Couldn't get OCSP response
[ocsp] --> Certificate has been expired/revoked!
[tls] chain-depth=0,
[tls] error=0

I don't know if the problem is the client certificate or how Radius parse it. I 
this can help to understand, the output of:

openssl x509 -in beltraminif.cer -noout -ocspid -ocsp_uri > 
http://crl.ema.europa.eu/ocsp (which is the correct url) 

Any input is really appreciated. 

Regards,

Francesco Beltramini





This e-mail has been scanned for all known viruses by European Medicines Agency.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to configure RADIUS +LDAP using SASL/Certificate based binding instead of usernames and passwords

[Arran Cudbard-Bell]

> There are other ways to establish the trust between radiusd and LDAP beside 
> simple binds which do not involve passwords. All of these use SASL in some 
> form. Unfortunately rlm_ldap does not support them. I know Alan rewrote 
> rlm_ldap recently for the upcoming 3.0 version,
> I don't know if SASL support was added or not. In any event this is an open 
> source project and if you want this functionality then the usual mantra 
> "Patches Welcome" applies.

No it wasn't.

-Arran



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Fwd: How to configure RADIUS +LDAP using SASL/Certificate based binding instead of usernames and passwords

[John Dennis]

On 04/10/2013 12:03 AM, pramod kulkarni wrote:

Thanks John for the reply.
can I use EAP-TLS method of authentication with LDAP as backend
datastore to check usernames and passwords.

> It would be like I bind to RADIUS server with EAP-TLS method using
> certificate and check usernames and passwords from LDAP server
> if yes on EAP-TLS can you please tell me how to configure EAP-TLS
> with LDAP as backend datastore.

This is a nonsensical question, EAP-TLS uses certificates. You do not 
yet understand some of the basics. You need to invest some time in 
learning the what the authentication mechanisms are and how they 
operate, this is a good starting place.


http://deployingradius.com/documents/protocols/


Basically I want to avoid harcoded usernames and passwords in raddb
of RADIUS server for authenticating users which I am doing currently .


What the configuration block in modules/ldap is setting up is how the 
radius server can communicate with the LDAP server in a peer-to-peer 
relationship. The LDAP server has to know who the radius server is and 
if it has permission to access other users passwords and password 
hashes. Therefore radiusd must authenticate to LDAP. This process is 
completely *independent* of any of the authentication protocols, it's 
merely establishing if radius can view certain data.


The way rlm_ldap is currently coded only simple binds (i.e. password 
based) are supported, therefore you must store a password in raddb. You 
are correct this is a security issue, however only root and the radius 
process should be able to read the file. On our systems we make sure the 
permissions and identities the processes run under assure this, if 
you've installed via some other mechanism it behooves you to assure the 
radius user and group are properly configured as well as the file 
permissions on the config files. Any by the way no I won't tell you how 
to do this, it's system admin 101. I'm pretty sure the defaults assure 
this as well, but I haven't verified.


There are other ways to establish the trust between radiusd and LDAP 
beside simple binds which do not involve passwords. All of these use 
SASL in some form. Unfortunately rlm_ldap does not support them. I know 
Alan rewrote rlm_ldap recently for the upcoming 3.0 version, I don't 
know if SASL support was added or not. In any event this is an open 
source project and if you want this functionality then the usual mantra 
"Patches Welcome" applies.


Oh, and by the way just in case you're confused as to the TLS parameters 
in the ldap config, they have nothing to do with binding (i.e. 
authenticating radiusd to LDAP), their purpose is to establish a secure 
tunnel between radiusd and LDAP. You can request the tunnel only be 
established if certificate based authentication succeeds but a simple 
bind will still be performed inside the tunnel.


HTH,

John

--
John Dennis 

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Fwd: How to configure RADIUS +LDAP using SASL/Certificate based binding instead of usernames and passwords

[pramod kulkarni]

>
> Thanks John for the reply.
> can I use EAP-TLS method of authentication with LDAP as backend datastore
> to check usernames and passwords.
> It would be like I bind to RADIUS server with EAP-TLS method using
> certificate and check usernames and passwords from LDAP server
>  if yes on EAP-TLS can you please tell me how to configure EAP-TLS with
> LDAP as backend datastore.
> Basically I want to avoid harcoded usernames and passwords in raddb of
> RADIUS server for authenticating users which I am doing currently .
>  ldap {
> server = "localhost"
> # identity = "cn=admin,o=My Org,c=UA"
> identity = "uid=admin,ou=CamUsers,dc=vmbox,dc=int"
> password = admin
> basedn = "ou=CamUsers,dc=vmbox,dc=int"
> filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
> # base_filter = "(objectclass=radiusprofile)"
> # set this to 'yes' to use TLS encrypted connections
> # to the LDAP database by using the StartTLS extended
> # operation.
> # The StartTLS operation is supposed to be used with normal
> # ldap connections instead of using ldaps (port 689) connections
> start_tls = yes
> # tls_cacertfile =
> C:/FreeRADIUS.net/etc/raddb/certs/FreeRADIUS.net/DemoCerts/cacert.pem
> # tls_cacertdir =
> C:/FreeRADIUS.net/etc/raddb/certs/FreeRADIUS.net/DemoCerts
> # tls_certfile =
> C:/FreeRADIUS.net/etc/raddb/certs/FreeRADIUS.net/DemoCerts/admin.pem
> # tls_keyfile =
> C:/FreeRADIUS.net/etc/raddb/certs/FreeRADIUS.net/DemoCerts/admin.pem
> # tls_randfile = /path/to/rnd
> tls_require_cert = "allow"
>  Waiting for your inputs
> Thanks and Regards,
> Pramod
>
>
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Fwd: How to configure RADIUS +LDAP using SASL/Certificate based binding instead of usernames and passwords

[John Dennis]

On 04/09/2013 03:44 AM, pramod kulkarni wrote:

Hi,
I am working on RADIUS with LDAP as backend for authenticating users.
I configured rlm_ldap on RADIUS server with username and plaintext
password and I am able to authenticate RADIUS client using LDAP.


There is a difference between using LDAP as a backend datastore (lookup 
passwords and password hashes after binding as a service) and using LDAP 
as a authentication oracle (binding as the user to determine if the user 
is authenticated depending on the bind result). From above it sounds 
like you've configured LDAP as a backend datastore.



But I want to configure RADIUS server with certificates instead of using
usernames and passwords.
Please guide me how to achieve this,is there any help/doc how to
configure LDAP SASL bind for RADIUS Server.
Waiting for your inputs.
Thanks and Regards,


You can't with the current rlm_ldap module bind to the LDAP server with 
anything other than a (username, password) pair, either for lookups or 
for authentication testing (only ldap_connect and ldap_simple_bind are 
supported).


However, rlm_ldap does support SSL/TLS connections to the LDAP server 
and you can specify that you want the LDAP server to request a client 
cert when establishing the connection. But ultimately you're still doing 
a simple bind albeit in a secure tunnel. If you specify you want the 
LDAP server to require a client cert then you effectively have two 
simultaneous authtication mechanisms in play (TLS for the tunnel and 
simple auth inside the tunnel). Setting up TLS auth is straight forward 
(see the options in raddb/modules/ldap) *except* for the fact the ldap 
library routines to set the require cert option are buggy (rlm_ldap uses 
the wrong entry point which may not be supported and the openldap 
library also has bugs, I think we've now got all these fixed and patches 
sent upstream to openldap, but you should be aware there is an 
reasonable chance it won't work on your distribution unless you've got 
patched libraries).


Even if SASL binds were supported you wouldn't want to use SASL binds 
for user authentication (if that was what you were asking, it's not 
clear from your original post). For user authentication based on 
certificates you would use EAP-TLS.


A long time ago I had a patch for using SASL binds, but it was against 
the old 1.1.7 version of rlm_ldap and it only supported GSSAPI.


HTH,

John


--
John Dennis 

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Fwd: How to configure RADIUS +LDAP using SASL/Certificate based binding instead of usernames and passwords

[pramod kulkarni]

Hi,
I am working on RADIUS with LDAP as backend for authenticating users.

I configured rlm_ldap on RADIUS server with username and plaintext password
and I am able to authenticate RADIUS client using LDAP.

But I want to configure RADIUS server with certificates instead of using
usernames and passwords.

Please guide me how to achieve this,is there any help/doc how to configure
LDAP SASL bind for RADIUS Server.

Waiting for your inputs.


Thanks and Regards,
Pramod
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Real server certificate for PEAP

[Phil Mayers]

On 04/03/2013 05:32 AM, Muhammad Nuzaihan Kamal Luddin wrote:

Hi,

You will need to purchase a Unified Communications certificate from a
CA.


They don't all call it the same thing.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Real server certificate for PEAP

[Muhammad Nuzaihan Kamal Luddin]

Hi,

You will need to purchase a Unified Communications certificate from a
CA. 

To generate the CSR, here is the guide:

http://langui.sh/2009/02/27/creating-a-subjectaltname-sanucc-csr/

Regards,
Muhammad Nuzaihan Bin Kamal Luddin

On Tue, 2013-04-02 at 16:22 +0100, Phil Mayers wrote:
> On 02/04/2013 15:22, Rudolf Henze wrote:
> > Hi,
> > Iam using freeradius 2.1.10 with a self-signed certificate with PEAP and
> > mschapv2 and LDAP-authentification.
> > Ive copied my CA-Certificate to all clients to be sure that Iam using
> > really the right network and not a fake SSID.
> >
> > But this is a little inconvenient. Is it possible to use a "real"
> > certificate. What do I bear in mind for that?
> 
> Several things:
> 
> First, anyone can get certs from public CAs, so you should ensure that 
> your client is a) validating the server cert against the specific CA and 
> b) validating the cert CN. Otherwise you are vulnerable to SSID spoofing 
> and credential capture. Note that some platforms (Android?) can't 
> validate cert CN, so can't be made secure.
> 
> Second, your cert will need to have the right OIDs and such. If you want 
> it to be "hassle free" deployment, it'll need to be from a CA widely 
> trusted by your client base, and ideally one that's easy to identify - 
> specifically easy to pick from the "validate cert" list. Verisign have 
> been bad at this - they've got lots of certs with "friendly" names all 
> starting "VeriSign Class 3" which get truncated on narrow (mobile) 
> screens. Guess the cert!
> 
> Third, note that commercial CAs have a nasty habit of rotating their 
> intermediate and top-level certs far more often than you would expect. 
> We're in the irritating position of having a public cert (to avoid the 
> deployment nightmare of a private cert on >10k unmanaged devices) and 
> Verisign have just changed their root cert, despite it having 7 more 
> years to run. So, all of those clients now have to re-trust the cert.
> 
> Sigh. X.509 really is the pits... It's a shame the TLS-based EAP methods 
> are the only vaguely usable ones.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Real server certificate for PEAP

[Phil Mayers]

On 02/04/2013 15:22, Rudolf Henze wrote:

Hi,
Iam using freeradius 2.1.10 with a self-signed certificate with PEAP and
mschapv2 and LDAP-authentification.
Ive copied my CA-Certificate to all clients to be sure that Iam using
really the right network and not a fake SSID.

But this is a little inconvenient. Is it possible to use a "real"
certificate. What do I bear in mind for that?


Several things:

First, anyone can get certs from public CAs, so you should ensure that 
your client is a) validating the server cert against the specific CA and 
b) validating the cert CN. Otherwise you are vulnerable to SSID spoofing 
and credential capture. Note that some platforms (Android?) can't 
validate cert CN, so can't be made secure.


Second, your cert will need to have the right OIDs and such. If you want 
it to be "hassle free" deployment, it'll need to be from a CA widely 
trusted by your client base, and ideally one that's easy to identify - 
specifically easy to pick from the "validate cert" list. Verisign have 
been bad at this - they've got lots of certs with "friendly" names all 
starting "VeriSign Class 3" which get truncated on narrow (mobile) 
screens. Guess the cert!


Third, note that commercial CAs have a nasty habit of rotating their 
intermediate and top-level certs far more often than you would expect. 
We're in the irritating position of having a public cert (to avoid the 
deployment nightmare of a private cert on >10k unmanaged devices) and 
Verisign have just changed their root cert, despite it having 7 more 
years to run. So, all of those clients now have to re-trust the cert.


Sigh. X.509 really is the pits... It's a shame the TLS-based EAP methods 
are the only vaguely usable ones.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Real server certificate for PEAP

[Alan Buxey]

A self-signed is real. It's just that you are the CA...which actually gives you 
greater security and keeps your authentication under your own destiny control.

If you believe that having a RADIUS server signed by a CA that is in the OS of 
your clients is the way you want to go, then simply go and buy a cert from eg 
thawte, verisign etc.

alan

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Real server certificate for PEAP

[Rudolf Henze]

Hi,

Iam using freeradius 2.1.10 with a self-signed certificate with PEAP and mschapv2 and LDAP-authentification.

Ive copied my CA-Certificate to all clients to be sure that Iam using really the right network and not a fake SSID.


But this is a little inconvenient. Is it possible to use a "real" certificate. What do I bear in mind for that?


Thanx in advance
 Rudolf

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Andriod certificate validation behavior

[Brian Julin]

Alan DeKok wrote:
>   I'd suggest putting up a web page explaining how you can steal android
> credentials via a malicious AP.  If you can get it to do TTLS + PAP for
> a random certificate, that's good for a CERT issue.  And they'll pay
> attention to that.

The FreeRADIUS-WPE patches have been out since at least 2008, but
I guess having something that specifically shows an Android yielding
up credentials might be more provocative, yes.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Andriod certificate validation behavior

[A . L . M . Buxey]

Hi,

>   I'd suggest putting up a web page explaining how you can steal android
> credentials via a malicious AP.  If you can get it to do TTLS + PAP for
> a random certificate, that's good for a CERT issue.  And they'll pay
> attention to that.

dont even need that. if it doesnt check/trust the certificate then
PEAP/MSCHAPv2 is also open and ready to be unpeeled. 

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Andriod certificate validation behavior

[Alan DeKok]

Brian Julin wrote:
> Slightly OT, but I'd like to encourage folks here who have a google
> account to "star"
> up issue #37178 on code.google.com to see if we cannot get Android
> developers to make
> future versions of the OS behave sanely WRT which AAA server
> certificates they will accept.

  Making things work is always on topic.

  Publicly shaming vendors who get RADIUS wrong is always on topic.

> I also left a long screed there about what the optimal behavior might be
> which some
> here might like to comment on.

  I'd suggest putting up a web page explaining how you can steal android
credentials via a malicious AP.  If you can get it to do TTLS + PAP for
a random certificate, that's good for a CERT issue.  And they'll pay
attention to that.

  Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Andriod certificate validation behavior

[Brian Julin]

Slightly OT, but I'd like to encourage folks here who have a google account to 
"star"
up issue #37178 on code.google.com to see if we cannot get Android developers 
to make
future versions of the OS behave sanely WRT which AAA server certificates they 
will accept.

I also left a long screed there about what the optimal behavior might be which 
some
here might like to comment on.

The URL is http://code.google.com/p/android/issues/detail?id=37178


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: [Help] How to eliminate client certificate popup

[Alan Buxey]

"
2. Check fig.9 and fig-10 .. looks like there is an option to cache user

information and to 'not prompt user to ...' that I think (cmiiw) will give

proper solution."


It will stop pop-ups for future connections but not remove pop-ups for initial 
connection...which is what the requester wants.

alan

--
This smartphone uses free WiFi around the world with eduroam, now that's what I 
call smart.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: [Help] How to eliminate client certificate popup

[Danny Kurniawan]

Thanks for all the reply, means i have to settle it from Client end :)

-Danny

On Wed, Mar 6, 2013 at 10:30 AM,  wrote:

> > Hi,
> >
> >> Check https://supportforums.cisco.com/docs/DOC-17544
> >
> > how many 'how to configure PEAP' documents does the world need? this one
> > has fewer issues than others but still has ambiguityand this guide
> > also contains exactly the same security prompt that the requester DOESNT
> > want ;-)
> >
> I don't mean to argue, but ...
>
> 1. I just want to tell requester that the problem fix is at the client
> side.
> 2. Check fig.9 and fig-10 .. looks like there is an option to cache user
> information and to 'not prompt user to ...' that I think (cmiiw) will give
> proper solution.
>
> Sincerely
> -bino-
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>



-- 
Best Regards,
Danny
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: [Help] How to eliminate client certificate popup

[bino]

> Hi,
>
>> Check https://supportforums.cisco.com/docs/DOC-17544
>
> how many 'how to configure PEAP' documents does the world need? this one
> has fewer issues than others but still has ambiguityand this guide
> also contains exactly the same security prompt that the requester DOESNT
> want ;-)
>
I don't mean to argue, but ...

1. I just want to tell requester that the problem fix is at the client side.
2. Check fig.9 and fig-10 .. looks like there is an option to cache user
information and to 'not prompt user to ...' that I think (cmiiw) will give
proper solution.

Sincerely
-bino-

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: [Help] How to eliminate client certificate popup

[Phil Mayers]

On 05/03/13 09:56, Danny Kurniawan wrote:

Hi All,

Thanks for all your reply. Yes i do understand the solution is to deploy
the network profile, but just curious at first who knows any of you have
an idea how to eliminate it wthout touching the client.


You can't. It's impossible by design - allowing the AP to push CA trust 
settings would be a security hole.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: [Help] How to eliminate client certificate popup

[Danny Kurniawan]

Hi All,

Thanks for all your reply. Yes i do understand the solution is to deploy
the network profile, but just curious at first who knows any of you have an
idea how to eliminate it wthout touching the client.

*for example push the profile automatically from the AP etc...

But now i guess i will have to deploy netsh command using script to all PC
as its not joining AD :)

Thanks
Danny

On Tue, Mar 5, 2013 at 5:28 PM, Phil Mayers  wrote:

> On 03/05/2013 01:58 AM, Danny Kurniawan wrote:
>
>> Hello,
>>
>> We are using 802.1x wireless connection from Meraki and using
>> PEAP-MSCHAPv2 for authentication with our LDAP. Everything works fine,
>> it just we want to eliminate this pop-up at the 1st time people connect
>> to it :
>>
>> How can i do that? We are using a cert from Global sign and we already
>>
>
> You have only a few choices:
>
>  1. Use a program such as su1x, ExpressConnect or similar to pre-provision
> the CA trust settings
>  2. If the machines are domain members, use group policy to do the same
>  3. Deploy a batch file / whatever to use "netsh" and XML profiles to do
> the same - a poor mans version of #1
>  4. Live with it.
>
> This is not a RADIUS question; it's an issue of supplicant provisioning,
> which is best asked of your OS vendor.
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/**
> list/users.html 
>



-- 
Best Regards,
Danny
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: [Help] How to eliminate client certificate popup

[Phil Mayers]

On 03/05/2013 01:58 AM, Danny Kurniawan wrote:

Hello,

We are using 802.1x wireless connection from Meraki and using
PEAP-MSCHAPv2 for authentication with our LDAP. Everything works fine,
it just we want to eliminate this pop-up at the 1st time people connect
to it :

How can i do that? We are using a cert from Global sign and we already


You have only a few choices:

 1. Use a program such as su1x, ExpressConnect or similar to 
pre-provision the CA trust settings

 2. If the machines are domain members, use group policy to do the same
 3. Deploy a batch file / whatever to use "netsh" and XML profiles to 
do the same - a poor mans version of #1

 4. Live with it.

This is not a RADIUS question; it's an issue of supplicant provisioning, 
which is best asked of your OS vendor.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: [Help] How to eliminate client certificate popup

[A . L . M . Buxey]

Hi,

> Check https://supportforums.cisco.com/docs/DOC-17544

how many 'how to configure PEAP' documents does the world need? this one
has fewer issues than others but still has ambiguityand this guide
also contains exactly the same security prompt that the requester DOESNT
want ;-)

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: [Help] How to eliminate client certificate popup

[A . L . M . Buxey]

Hi,

>How can i do that? We are using a cert from Global sign and we already
>have a root ca in our laptop, but we still need to choose that Terminate /
>Connect popup. It doesnt matter if we need to change our cert or etc, but
>we just want to eliminate that popup :)

its down to the OS and trust settings. the client needs to be configured. if you
use a deployment tool then this error can be removed.  

likewise, if in eg AD you can have a group policy deployed to do the same.

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: [Help] How to eliminate client certificate popup

[bino]

> Hi,
>
> I mean eliminate it without a need to configure WLAN profile on each
> Windows 7 we have or using Intel Pro software etc.. I would like to know
> if
> anyone ever know how we can eliminate this from let say tweak the cert or
> some radius config.
>

I don\'t think it\'s about radius configuration
It\'s more to your windows7 supplicant configuration.
Check https://supportforums.cisco.com/docs/DOC-17544

Sincerely
-bino-

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: [Help] How to eliminate client certificate popup

[Danny Kurniawan]

Hi,

I mean eliminate it without a need to configure WLAN profile on each
Windows 7 we have or using Intel Pro software etc.. I would like to know if
anyone ever know how we can eliminate this from let say tweak the cert or
some radius config.

Thanks
Danny

On Tue, Mar 5, 2013 at 9:58 AM, Danny Kurniawan <
danny.kurnia...@fairchildsemi.com> wrote:

> Hello,
>
> We are using 802.1x wireless connection from Meraki and using
> PEAP-MSCHAPv2 for authentication with our LDAP. Everything works fine, it
> just we want to eliminate this pop-up at the 1st time people connect to it :
>
> The credentials provided by the server could not be validated. We
> recommend that you terminate the connection and contact your administrator
> with the information provided in the details. You may still connect but
> doing so exposes you to security risk by a possible rogue server.
> Details
> Radius Server:   $radius
> Root CA:$ca
>
> How can i do that? We are using a cert from Global sign and we already
> have a root ca in our laptop, but we still need to choose that Terminate /
> Connect popup. It doesnt matter if we need to change our cert or etc, but
> we just want to eliminate that popup :)
>
> Thanks
> Danny
>
> --
> Best Regards,
> Danny
>



-- 
Best Regards,
Danny
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

[Help] How to eliminate client certificate popup

[Danny Kurniawan]

Hello,

We are using 802.1x wireless connection from Meraki and using PEAP-MSCHAPv2
for authentication with our LDAP. Everything works fine, it just we want to
eliminate this pop-up at the 1st time people connect to it :

The credentials provided by the server could not be validated. We recommend
that you terminate the connection and contact your administrator with the
information provided in the details. You may still connect but doing so
exposes you to security risk by a possible rogue server.
Details
Radius Server:   $radius
Root CA:$ca

How can i do that? We are using a cert from Global sign and we already have
a root ca in our laptop, but we still need to choose that Terminate /
Connect popup. It doesnt matter if we need to change our cert or etc, but
we just want to eliminate that popup :)

Thanks
Danny

-- 
Best Regards,
Danny
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problem Using GoDaddy Wildcard Certificate

[Reimer Karlsen-Masur, DFN-CERT]

Hi Thomas,

Thomas Simmons wrote on 03.03.2013 03:28:

> The certification path for my cert is: My Cert > GoDaddy Secure
> Certification Authority > Go Daddy Class 2 Certification Authority
> 
> I added my certificate to the beginning of the chain file provided by
> GoDaddy (used cat to ensure no errors) and pointed certificate_file to this.
> I then selected the "Go Daddy Class 2 Certification Authority" under the
> network profile. When this did not work, I imported the chain file into my
> Trusted Root CAs and selected "GoDaddy Secure Certification Authority" in
> the wifi profile. This also did not work. Lastly, I cleaned up my
> certificate store, split apart the chain file into separate files, imported
> "GoDaddy Secure Certification Authority" into my Trusted Root CAs, selected
> the same in the wifi profile, and pointed certificate_file to my cert ONLY.
> Does anyone see a reason this should not work?

newer Windows versions do a fair bit of automagic when they have to deal
with certificates, ie.

o they do /not/ carry /a complete list of all/ Root-CA certificates that the
system will eventually trust, instead they automatically download specific
"pre-trusted" Root-CA certificates from some trusted Microsoft update
server, once the user - doing a bit of internet browsing - encounters a
server certificate that will eventually be validating its trust path to that
Root-CA certificate /for the first time/.

o they use the AIA (Authority Information Access) extension in the
certificates (if present) to automatically download missing intermediate CA
certificates from the URLs specified in the said certificates to
auto-complete trustpaths.

o they use the CDP (CRL distribution point) extension in the certificates
(if present) to automatically download CRLs from the URLs specified in the
said certificates.

o they use the AIA (Authority Information Access) extension in the
certificates (if present) to automatically ask an OCSP-responder for an
up-to-date status of the said certificates.

o they cache/store those downloaded bits of information

My guess is that your Windows system run into some hen-egg-problem trying to
download these things from the internet while not having a full internet
connection.


> Ideas on what to try next?

If you have that same wildcard certificate running on an SSL-web-server, get
your Windows system connected to the Internet and browse to the HTTPS
address of that web server *with IE*. Since the system has full Internet
access it should download and store/cache all bits it is needing to
successfully validate your wildcard certificate.

You can check the Windows CRL and OCSP cache using

C:\> certutil -URLCache CRL
C:\> certutil -URLCache OCSP

Then disconnect the system and try re-connecting it using the supplicant
with eap-tls authentication. The system should hopefully use the validation
info it collected when it was online before since it is then encountering
the same wildcard certificate as before and accept your RADIUS-server
certificate.

This would at least proof my theory. I'm not sure if knowing why it is
broken will still help you to use your wildcard cert...at least for freshly
set-up Windows systems which were never connected to the Internet or which
never have seen your wildcard certificate before when connected to the
Internet it will be difficult.

Just my 2 cents.

Best Regards

Reimer

p.s.

You can clear the Windows CRL and OCSP caches using

C:\> certutil -URLCache CRL delete
C:\> certutil -URLCache OCSP delete

-- 
Dipl.-Inform. Reimer Karlsen-Masur (PKI Team)

DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-580
Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737
Sachsenstr. 5,  20097 Hamburg/Germany,  CEO: Dr. Klaus-Peter Kossakowski



smime.p7s
Description: S/MIME Cryptographic Signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problem Using GoDaddy Wildcard Certificate

[Thomas Simmons]

On Sun, Mar 3, 2013 at 10:03 AM, Phil Mayers wrote:

> Try with a private ca first, it'll save cash
>
>
I tested using a standard TLD domain cert that I have on-hand Of course, it
works as expected. It appears you are indeed correct - wildcard certs do
not work for this purpose under Windows.

Thank you all for the help.


>
> Thomas Simmons  wrote:
>>
>> On Sun, Mar 3, 2013 at 6:41 AM, Phil Mayers wrote:
>>
>>> When you enable "validate...", what are you entering as the server name?
>>> I'm not sure wildcard certs work with eap under windows.
>>>
>>> Hello Phil,
>>
>> Initially, I unchecked "Connect to these servers" and left this field
>> empty - this is what I did with the self-signed cert that worked. I also
>> tried *.mydomain.com (the CN) and domain.com. I can purchase a standard
>> cert to verify this is the problem.
>>
>>
>>> Thomas Simmons  wrote:
>>>
>>> >Hello All,
>>> >
>>> >I'm trying to get my setup working with a GoDaddy-issued wildcard
>>> >certificate (I understand self-signed is recommended). I don't
>>> >understand
>>> >why this is not working and appreciate any input. What I have found so
>>> >far:
>>> >
>>> >Everything works with self-signed certs. With the CA cert imported,
>>> >"Validate server certificate" is not required.
>>> >Everything works with GoDaddy certs on Android.
>>> >Everything works with GoDaddy certs and "Validate ..." unchecked.
>>>
>>> --
>>> Sent from my mobile device, please excuse brevity and typos.
>>>
>>
>>
> --
> Sent from my mobile device, please excuse brevity and typos.
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problem Using GoDaddy Wildcard Certificate

[Thomas Simmons]

On Sun, Mar 3, 2013 at 9:09 AM, JDL  wrote:

> Thomas,
>
> Most wildcard certificates that I have encountered do NOT include the
> domain, only subdomains.  In other words "something.mydomain.com" would
> work but not simply "domain.com".  I know you tried the actual CN, but
> perhaps some component is having an issue with the asterisk.  If you wanted
> to make another test, you could try using a server name  which is similar
> to something.mydomain.com.
>
> Jim L.
>
> Hello Jim,

I tested using foo.mydomain.com, which resulted in the same error. I'm
fairly certain Phil is correct that wildcard certs do not work for this
purpose under Windows.

>
> On Mar 3, 2013, at 7:41 AM, Thomas Simmons  wrote:
>
> On Sun, Mar 3, 2013 at 6:41 AM, Phil Mayers wrote:
>
>> When you enable "validate...", what are you entering as the server name?
>> I'm not sure wildcard certs work with eap under windows.
>>
>> Hello Phil,
>
> Initially, I unchecked "Connect to these servers" and left this field
> empty - this is what I did with the self-signed cert that worked. I also
> tried *.mydomain.com (the CN) and domain.com. I can purchase a standard
> cert to verify this is the problem.
>
>
>> Thomas Simmons  wrote:
>>
>> >Hello All,
>> >
>> >I'm trying to get my setup working with a GoDaddy-issued wildcard
>> >certificate (I understand self-signed is recommended). I don't
>> >understand
>> >why this is not working and appreciate any input. What I have found so
>> >far:
>> >
>> >Everything works with self-signed certs. With the CA cert imported,
>> >"Validate server certificate" is not required.
>> >Everything works with GoDaddy certs on Android.
>> >Everything works with GoDaddy certs and "Validate ..." unchecked.
>>
>> --
>> Sent from my mobile device, please excuse brevity and typos.
>>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problem Using GoDaddy Wildcard Certificate

[Phil Mayers]

Try with a private ca first,  it'll save cash

Thomas Simmons  wrote:

>On Sun, Mar 3, 2013 at 6:41 AM, Phil Mayers 
>wrote:
>
>> When you enable "validate...", what are you entering as the server
>name?
>> I'm not sure wildcard certs work with eap under windows.
>>
>> Hello Phil,
>
>Initially, I unchecked "Connect to these servers" and left this field
>empty
>- this is what I did with the self-signed cert that worked. I also
>tried *.
>mydomain.com (the CN) and domain.com. I can purchase a standard cert to
>verify this is the problem.
>
>
>> Thomas Simmons  wrote:
>>
>> >Hello All,
>> >
>> >I'm trying to get my setup working with a GoDaddy-issued wildcard
>> >certificate (I understand self-signed is recommended). I don't
>> >understand
>> >why this is not working and appreciate any input. What I have found
>so
>> >far:
>> >
>> >Everything works with self-signed certs. With the CA cert imported,
>> >"Validate server certificate" is not required.
>> >Everything works with GoDaddy certs on Android.
>> >Everything works with GoDaddy certs and "Validate ..." unchecked.
>>
>> --
>> Sent from my mobile device, please excuse brevity and typos.
>>

--
Sent from my mobile device, please excuse brevity and typos.-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problem Using GoDaddy Wildcard Certificate

[JDL]

Thomas,

Most wildcard certificates that I have encountered do NOT include the domain, 
only subdomains.  In other words "something.mydomain.com" would work but not 
simply "domain.com".  I know you tried the actual CN, but perhaps some 
component is having an issue with the asterisk.  If you wanted to make another 
test, you could try using a server name  which is similar to 
something.mydomain.com.

Jim L.


On Mar 3, 2013, at 7:41 AM, Thomas Simmons  wrote:

> On Sun, Mar 3, 2013 at 6:41 AM, Phil Mayers  wrote:
> When you enable "validate...", what are you entering as the server name? I'm 
> not sure wildcard certs work with eap under windows.
> 
> Hello Phil,
> 
> Initially, I unchecked "Connect to these servers" and left this field empty - 
> this is what I did with the self-signed cert that worked. I also tried 
> *.mydomain.com (the CN) and domain.com. I can purchase a standard cert to 
> verify this is the problem.
>  
> Thomas Simmons  wrote:
> 
> >Hello All,
> >
> >I'm trying to get my setup working with a GoDaddy-issued wildcard
> >certificate (I understand self-signed is recommended). I don't
> >understand
> >why this is not working and appreciate any input. What I have found so
> >far:
> >
> >Everything works with self-signed certs. With the CA cert imported,
> >"Validate server certificate" is not required.
> >Everything works with GoDaddy certs on Android.
> >Everything works with GoDaddy certs and "Validate ..." unchecked.
> 
> --
> Sent from my mobile device, please excuse brevity and typos.
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problem Using GoDaddy Wildcard Certificate

[Thomas Simmons]

On Sun, Mar 3, 2013 at 6:41 AM, Phil Mayers  wrote:

> When you enable "validate...", what are you entering as the server name?
> I'm not sure wildcard certs work with eap under windows.
>
> Hello Phil,

Initially, I unchecked "Connect to these servers" and left this field empty
- this is what I did with the self-signed cert that worked. I also tried *.
mydomain.com (the CN) and domain.com. I can purchase a standard cert to
verify this is the problem.


> Thomas Simmons  wrote:
>
> >Hello All,
> >
> >I'm trying to get my setup working with a GoDaddy-issued wildcard
> >certificate (I understand self-signed is recommended). I don't
> >understand
> >why this is not working and appreciate any input. What I have found so
> >far:
> >
> >Everything works with self-signed certs. With the CA cert imported,
> >"Validate server certificate" is not required.
> >Everything works with GoDaddy certs on Android.
> >Everything works with GoDaddy certs and "Validate ..." unchecked.
>
> --
> Sent from my mobile device, please excuse brevity and typos.
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problem Using GoDaddy Wildcard Certificate

[Phil Mayers]

When you enable "validate...", what are you entering as the server name? I'm 
not sure wildcard certs work with eap under windows. 

Thomas Simmons  wrote:

>Hello All,
>
>I'm trying to get my setup working with a GoDaddy-issued wildcard
>certificate (I understand self-signed is recommended). I don't
>understand
>why this is not working and appreciate any input. What I have found so
>far:
>
>Everything works with self-signed certs. With the CA cert imported,
>"Validate server certificate" is not required.
>Everything works with GoDaddy certs on Android.
>Everything works with GoDaddy certs and "Validate ..." unchecked.

-- 
Sent from my mobile device, please excuse brevity and typos.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problem Using GoDaddy Wildcard Certificate

[Alan DeKok]

Thomas Simmons wrote:
> On Win 7, with "Validate ..." checked, I receive the following error:
> 
> [peap] Length Included
> [peap] eaptls_verify returned 11
> [peap] <<< TLS 1.0 Alert [length 0002], fatal access_denied
> TLS Alert read:fatal:access denied

  The Windows box is refusing to accept the servers certificate.

> The GoDaddy certs appear to have the necessary "XP Extensions". The
> following is reported under "Enhanced Key Usage" when I view the cert in
> Windows:
> Server Authentication (1.3.6.1.5.5.7.3.1)
> Client Authentication (1.3.6.1.5.5.7.3.2)

  OK.

> I added my certificate to the beginning of the chain file provided by
> GoDaddy (used cat to ensure no errors) and pointed certificate_file to
> this. I then selected the "Go Daddy Class 2 Certification Authority"
> under the network profile. When this did not work, I imported the chain
> file into my Trusted Root CAs and selected "GoDaddy Secure Certification
> Authority" in the wifi profile. This also did not work. Lastly, I
> cleaned up my certificate store, split apart the chain file
> into separate files, imported "GoDaddy Secure Certification Authority"
> into my Trusted Root CAs, selected the same in the wifi profile, and
> pointed certificate_file to my cert ONLY. Does anyone see a reason this
> should not work? Ideas on what to try next? Thank you.

  Ask Microsoft why their software doesn't work.

  It sounds like you followed all of the right steps.  Maybe you missed
something minor (and critical).  It's hard to say.  There's a lot of
magic in SSL.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Problem Using GoDaddy Wildcard Certificate

[Thomas Simmons]

Hello All,

I'm trying to get my setup working with a GoDaddy-issued wildcard
certificate (I understand self-signed is recommended). I don't understand
why this is not working and appreciate any input. What I have found so far:

Everything works with self-signed certs. With the CA cert imported,
"Validate server certificate" is not required.
Everything works with GoDaddy certs on Android.
Everything works with GoDaddy certs and "Validate ..." unchecked.

On Win 7, with "Validate ..." checked, I receive the following error:

[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Alert [length 0002], fatal access_denied
TLS Alert read:fatal:access denied
[peap] WARNING: No data inside of the tunnel.
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state ?
[peap] FAILED processing PEAP: Tunneled data is invalid.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.

The GoDaddy certs appear to have the necessary "XP Extensions". The
following is reported under "Enhanced Key Usage" when I view the cert in
Windows:
Server Authentication (1.3.6.1.5.5.7.3.1)
Client Authentication (1.3.6.1.5.5.7.3.2)

Likewise, openssl reports:
$ openssl x509 -in server.crt -text -noout | grep "Web Server"
TLS Web Server Authentication, TLS Web Client Authentication

The certification path for my cert is: My Cert > GoDaddy Secure
Certification Authority > Go Daddy Class 2 Certification Authority

I added my certificate to the beginning of the chain file provided by
GoDaddy (used cat to ensure no errors) and pointed certificate_file to
this. I then selected the "Go Daddy Class 2 Certification Authority" under
the network profile. When this did not work, I imported the chain file into
my Trusted Root CAs and selected "GoDaddy Secure Certification Authority"
in the wifi profile. This also did not work. Lastly, I cleaned up my
certificate store, split apart the chain file into separate files, imported
"GoDaddy Secure Certification Authority" into my Trusted Root CAs, selected
the same in the wifi profile, and pointed certificate_file to my cert ONLY.
Does anyone see a reason this should not work? Ideas on what to try next?
Thank you.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: SSL V3 client certificate error

[Danny Kurniawan]

thank you so much .. yes it only have issue intermitenly on some user .. so
i have to set our client laptop manually for the root CA? I believe it
should be there as we use Global Sign ...

-- 
Best Regards,
Danny
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: SSL V3 client certificate error

[Phil Mayers]

This is the client telling you it doesn't trust your server ca. Setup the 
client correctly.

Danny Kurniawan  wrote:

>Hi All,
>
>I have some intermittent issue with our Radius auth.
>OS : SLES 11
>Radius 2.1.1
>
>We get the cert from GlobalSign and use it at the 2 Radius server. So
>Server A and Server B use the same cert.
>in Server B, ometimes it works fine to authenticate and sometimes its
>failed but everything fine in Server A.
>
>Fri Feb 22 18:31:39 2013 : Auth: Login OK: [sdholakia2] (from client
>AllWirelessAP port 0 via TLS tunnel)
>Fri Feb 22 18:31:39 2013 : Auth: Login OK: [sdholakia2] (from client
>AllWirelessAP port 0 cli A0-88-B4-0F-C3-D8)
>*Fri Feb 22 18:36:30 2013 : Error: TLS Alert read:fatal:unknown CA
>Fri Feb 22 18:36:30 2013 : Error: TLS_accept:failed in SSLv3 read
>client certificate A
>Fri Feb 22 18:36:30 2013 : Error: rlm_eap: SSL error error:14094418:SSL
>routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
>Fri Feb 22 18:36:30 2013 : Error: SSL: SSL_read failed inside of TLS
>(-1),
>TLS session fails.*
>Fri Feb 22 18:36:30 2013 : Auth: Login incorrect: [800200sq] (from
>client
>AllWirelessAP port 0 cli A0-88-B4-58-BA-8C)
>Fri Feb 22 18:37:34 2013 : Auth: Login OK: [800200sq] (from client
>AllWirelessAP port 0 via TLS tunnel)
>Fri Feb 22 18:37:34 2013 : Auth: Login OK: [800200sq] (from client
>AllWirelessAP port 0 cli A0-88-B4-0F-C3-D8)
>
>Any idea what should i check for that error?
>
>Thanks
>
>--
>Best Regards,
>Danny
>
>
>
>
>-
>List info/subscribe/unsubscribe? See
>http://www.freeradius.org/list/users.html

--
Sent from my mobile device, please excuse brevity and typos.-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-TLS certificate problem

[Alan DeKok]

Muhammad Nadeem wrote:
> I suucceed to authenticate the users from a database.
> But when i setup the same setup on another machine, I was failed :(
> The following output is the debug output of the freeradius server. (I
> think EAP NAK,, is creating problems).

  Yes.  Read the debug output.

> [eap] EAP NAK
> [eap] NAK asked for bad type 0
> [eap] Failed in EAP select

  The client is broken.

  Don't blame FreeRADIUS.  Go fix the client.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-TLS certificate problem

[John Dennis]

On 02/19/2013 09:16 AM, Muhammad Nadeem wrote:

On 2/19/13, Phil Mayers  wrote:

On 19/02/13 09:11, Muhammad Nadeem wrote:

Hi, everybody
I have used pre-shipped certificates of Freeradius for testing
purpose. This testing was succeed with a test user 'bob', with files
authentication.
Now in the next step I wanna authenticate a user from my Database with
Digital certificates. When i authenticate the user, server side
confirm and send "Access-Accept" packet, but at client, following
error occurs.
" No Message-Authenticator attribute found
Incoming RADIUS packet did not have correct Message-Authenticator -
dropped
STA 02:00:00:00:00:01: No RADIUS RX handler found (type=0 code=2 id=0)
- dropping packet"

I googled this problem and found a solution that the user Auth-type is
set to Accept (I manually checked the user in Database , and its
Auth-Type was Accept) and this type prevent further process.


Yes


Now my question is that , could I continue EAP-TLS authentication,
regardless of Auth-Type is set to Accept???


No. Don't set Auth-Type unless you know what you're doing.


Doesn't look like you actually heeded this advice does it? Hint, look at 
your select statement. You're setting the Auth-Type.



Ok thanx,
I suucceed to authenticate the users from a database.
But when i setup the same setup on another machine, I was failed :(
The following output is the debug output of the freeradius server. (I
think EAP NAK,, is creating problems).
[sql]   expand: SELECT '1' AS RC_ID,'%{SQL-USER-NAME}' AS
USERNAME,'Auth-Type' AS Attribute,
AAA_GETVALUETOCHECKWITRIBE('%{SQL-User-Name}') AS Value,':=' AS op
FROM dual ORDER BY RC_ID -> SELECT '1' AS RC_ID,'001AAD3F8165' AS
USERNAME,'Auth-Type' AS Attribute,
AAA_GETVALUETOCHECKWITRIBE('001AAD3F8165') AS Value,':=' AS op FROM
dual ORDER BY RC_ID
[sql] User found in radcheck table



Found Auth-Type = Accept
Found Auth-Type = EAP
Warning:  Found 2 auth-types on request for user '001AAD3F8165'


--
John Dennis 

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-TLS certificate problem

[Phil Mayers]

On 19/02/13 14:16, Muhammad Nadeem wrote:


[eap] EAP NAK
[eap] NAK asked for bad type 0


You've mis-configured the client. Go back and look at it again.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-TLS certificate problem

[Muhammad Nadeem]

On 2/19/13, Phil Mayers  wrote:
> On 19/02/13 09:11, Muhammad Nadeem wrote:
>> Hi, everybody
>> I have used pre-shipped certificates of Freeradius for testing
>> purpose. This testing was succeed with a test user 'bob', with files
>> authentication.
>> Now in the next step I wanna authenticate a user from my Database with
>> Digital certificates. When i authenticate the user, server side
>> confirm and send "Access-Accept" packet, but at client, following
>> error occurs.
>> " No Message-Authenticator attribute found
>> Incoming RADIUS packet did not have correct Message-Authenticator -
>> dropped
>> STA 02:00:00:00:00:01: No RADIUS RX handler found (type=0 code=2 id=0)
>> - dropping packet"
>>
>> I googled this problem and found a solution that the user Auth-type is
>> set to Accept (I manually checked the user in Database , and its
>> Auth-Type was Accept) and this type prevent further process.
>
> Yes
>
>> Now my question is that , could I continue EAP-TLS authentication,
>> regardless of Auth-Type is set to Accept???
>
> No. Don't set Auth-Type unless you know what you're doing.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
Ok thanx,
I suucceed to authenticate the users from a database.
But when i setup the same setup on another machine, I was failed :(
The following output is the debug output of the freeradius server. (I
think EAP NAK,, is creating problems).
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.0.112 port 35397,
id=0, length=132
User-Name = "001AAD3F8165"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x021101303031414144334638313635
Message-Authenticator = 0xebcf3f94a32bf89eaabf4be3b2ce493b
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "001AAD3F8165", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 0 length 17
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[eap] EAP packet type response id 0 length 17
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[sql]   expand: %{User-Name} -> 001AAD3F8165
[sql] sql_set_user escaped user --> '001AAD3F8165'
rlm_sql (sql): Reserving sql socket id: 9
[sql]   expand: SELECT '1' AS RC_ID,'%{SQL-USER-NAME}' AS
USERNAME,'Auth-Type' AS Attribute,
AAA_GETVALUETOCHECKWITRIBE('%{SQL-User-Name}') AS Value,':=' AS op
FROM dual ORDER BY RC_ID -> SELECT '1' AS RC_ID,'001AAD3F8165' AS
USERNAME,'Auth-Type' AS Attribute,
AAA_GETVALUETOCHECKWITRIBE('001AAD3F8165') AS Value,':=' AS op FROM
dual ORDER BY RC_ID
[sql] User found in radcheck table
[sql]   expand: select rownum, '%{SQL-USER-NAME}', RR_ATTRIBUTE,
RR_VALUE, RR_OP FROM AAA_TBLRADREPLY where PI_PROFILEID in (SELECT
PI_PROFILEID FROM SM_TBLSUBSIDENTIFICATIONS WHERE SI_IDENTIFICATION =
upper(replace('%{SQL-USER-NAME}',':','')) ) AND NE_ELEMENTID in
(SELECT NE_ELEMENTID FROM NC_TBLNEACESSCONF WHERE NEAC_IPADDRESS =
'%{NAS-IP-Address}') -> select rownum, '001AAD3F8165', RR_ATTRIBUTE,
RR_VALUE, RR_OP FROM AAA_TBLRADREPLY where PI_PROFILEID in (SELECT
PI_PROFILEID FROM SM_TBLSUBSIDENTIFICATIONS WHERE SI_IDENTIFICATION =
upper(replace('001AAD3F8165',':','')) ) AND NE_ELEMENTID in (SELECT
NE_ELEMENTID FROM NC_TBLNEACESSCONF WHERE NEAC_IPADDRESS =
'127.0.0.1')
rlm_sql (sql): Released sql socket id: 9
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
Found Auth-Type = Accept
Found Auth-Type = EAP
Warning:  Found 2 auth-types on request for user '001AAD3F8165'
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Requiring client certificate
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 0 to 192.168.0.112 port 35397
Qos-Policing-Profile-Name := "128K_UL"
Qos-Metering-Profile-Name := "512K_DL"
Context-Name := "Postpaid-VR"
DHCP-Max-Leases := 1
Forward-Policy := "in:nonpayment_redirect_post"
HTTP

Re: EAP-TLS certificate problem

[Phil Mayers]

On 19/02/13 09:11, Muhammad Nadeem wrote:

Hi, everybody
I have used pre-shipped certificates of Freeradius for testing
purpose. This testing was succeed with a test user 'bob', with files
authentication.
Now in the next step I wanna authenticate a user from my Database with
Digital certificates. When i authenticate the user, server side
confirm and send "Access-Accept" packet, but at client, following
error occurs.
" No Message-Authenticator attribute found
Incoming RADIUS packet did not have correct Message-Authenticator - dropped
STA 02:00:00:00:00:01: No RADIUS RX handler found (type=0 code=2 id=0)
- dropping packet"

I googled this problem and found a solution that the user Auth-type is
set to Accept (I manually checked the user in Database , and its
Auth-Type was Accept) and this type prevent further process.


Yes


Now my question is that , could I continue EAP-TLS authentication,
regardless of Auth-Type is set to Accept???


No. Don't set Auth-Type unless you know what you're doing.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: [EAP/TLS] Authenfication through a certificate

[vazoumana fofana]

here is the output : 



 Evaluating ("%{TLS-Client-Cert-Subject}" =~//) -> TRUE
++? if ("%{TLS-Client-Cert-Subject}" =~ /\/xx\// ) -> TRUE
++- entering if ("%{TLS-Client-Cert-Subject}" =~ /\/O=\// ) {...}
+++? if ("%{TLS-Client-Cert-Subject}" =~ /\/OU=\// )
expand: %{TLS-Client-Cert-Subject} -> 
/
? Evaluating ("%{TLS-Client-Cert-Subject}" =~ /\/xxx\//) -> TRUE
+++? if ("%{TLS-Client-Cert-Subject}" =~ /\/x\// ) -> TRUE
+++- entering if ("%{TLS-Client-Cert-Subject}" =~ /\/xx\// ) 
{...}
[noop] returns noop
+++- if ("%{TLS-Client-Cert-Subject}" =~ /\/xxx\// ) returns 
noop
+++ ... skipping else for request 21: Preceding "if" was taken
++- if ("%{TLS-Client-Cert-Subject}" =~ /\/xx\// ) returns 
noop
Login OK: [xx] (from client xxx


I understand that eap returns ok so user is authenticated.
It's not what i want to do. 
i want client certificate to be authenticated by :
- be in users files
- have the "right" certificate
From: a.l.m.bu...@lboro.ac.uk
To: zoumlan...@hotmail.com; freeradius-users@lists.freeradius.org
Subject: Re: [EAP/TLS] Authenfication through a certificate
Date: Fri, 8 Feb 2013 16:20:20 +






As already said, post output of radiusd -X

(that will clearly show the logic taken)



alan




  -
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: [EAP/TLS] Authenfication through a certificate

[Alan Buxey]

As already said, post output of radiusd -X
(that will clearly show the logic taken)

alan


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: [EAP/TLS] Authenfication through a certificate

[vazoumana fofana]

i begin setting up configuration. bit i got two problems : 

client with good certificate can be authenticated even if they're not in 
"users" file.
I assume it's due to my code. Here is under authenticate section of default : 

Auth-Type eap {
eap
if ( "%{TLS-Client-Cert-Subject}" =~ /\/\// ) {
if ( "%{TLS-Client-Cert-Subject}" =~ /\/xxx\// 
) {
  ok
}
else {
fail
}
It's like when condition is checked, it bypassed "users" file.

Maybe, i must move these lines under authorize ?
anyone to confirm it ?

cheers
 

> Date: Mon, 4 Feb 2013 10:32:22 -0500
> From: al...@deployingradius.com
> To: freeradius-users@lists.freeradius.org
> Subject: Re: [EAP/TLS] Authenfication through a certificate
> 
> vazoumana fofana wrote:
> > i've got question about EAP/TLS and authentification for a client
> > through a certificate ?
> > I succeed setting up. But , i notice that freeradius matches client
> > login with certificate CNAME.
> > Is it possible to change it in order to match email instead of CNAME ?
> 
>   Yes.
> 
>   Read the eap.conf file, and the raddb/sites-available/default.  This
> is documented.
> 
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
  -
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: [EAP/TLS] Authenfication through a certificate

[Alan DeKok]

vazoumana fofana wrote:
> i've got question about EAP/TLS and authentification for a client
> through a certificate ?
> I succeed setting up. But , i notice that freeradius matches client
> login with certificate CNAME.
> Is it possible to change it in order to match email instead of CNAME ?

  Yes.

  Read the eap.conf file, and the raddb/sites-available/default.  This
is documented.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

[EAP/TLS] Authenfication through a certificate

[vazoumana fofana]

Dear everybody,

i've got question about EAP/TLS and authentification for a client through a 
certificate ?
I succeed setting up. But , i notice that freeradius matches client login with 
certificate CNAME.
Is it possible to change it in order to match email instead of CNAME ?

Best regards. 
  -
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: suddenly problem with certificates / error in SSLv3 read client certificate B

[Alan DeKok]

Stephan Manske wrote:
> Does this work with specific make commands only? So you cannot use it in
> freeradius to be compatible?

  It only works with GNU Make.  Version 3 has a new build system, which
requires GNU Make.  It could be done there.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: suddenly problem with certificates / error in SSLv3 read client certificate B

[Stephan Manske]

Am 23.01.2013, 21:23 Uhr, schrieb :


IMHO these patch
https://github.com/FreeRADIUS/freeradius-server/commit/2d3f119cd8d9e99028f968db1ee108eb6f05db09#raddb/certs/Makefile

with

+ca.key ca.pem: ca.cnf index.txt serial


you stated earlier that you didnt touch freeradius...that all you did  
was update OpenSSL to the latest version to be affected by any  
change to certificate makefiles etc you would have had to update/play  
with freeradius too. which you stated you didnt do.


yes, I updated my freeradius installation to 2.2.0. But I did this  
_months_ ago. My fault, not to think about an update months ago. Really  
sorry.


So, it was a coexistence: all worked fine, then I updated openssl, made a  
new client certificate to test it (unfortunately the first time for  
months) and from now on my older certificates gave me ssl errors. So it  
looks to me that there a relation to this ssl update.


Ciao, Stephan

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: suddenly problem with certificates / error in SSLv3 read client certificate B

[Stephan Manske]

Am 23.01.2013, 21:13 Uhr, schrieb Alan DeKok :

Stephan Manske wrote:



I think I found the issue:

...

makes ca.key dependant to the date of index.txt and serial

Both files are updated every time a new client cert is build. IMHO.


  OK.  That's a better explanation than "FreeRADIUS is wrong".

  There's a fix on github, which will be in 2.2.1.


ca.key ca.pem: ca.cnf
@[ -f index.txt ] || $(MAKE) index.txt
@[ -f serial ] || $(MAKE) serial
openssl req -new -x509 -keyout ca.key -out ca.pem \
-days $(CA_DEFAULT_DAYS) -config ./ca.cnf

I am only a make noob, but is there a reason not to use  
order-only-prerequisites?


"Occasionally, however, you have a situation where you want to impose a  
specific ordering on the rules to be invoked without forcing the target to  
be updated if one of those rules is executed. In that case, you want to  
define order-only prerequisites. Order-only prerequisites can be specified  
by placing a pipe symbol (|) in the prerequisites list: any prerequisites  
to the left of the pipe symbol are normal; any prerequisites to the right  
are order-only:

 targets : normal-prerequisites | order-only-prerequisites"

Does this work with specific make commands only? So you cannot use it in  
freeradius to be compatible?


Ciao, Stephan

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: suddenly problem with certificates / error in SSLv3 read client certificate B

[John Dennis]

On 01/23/2013 01:53 PM, Stephan Manske wrote:


IMHO these patch
https://github.com/FreeRADIUS/freeradius-server/commit/2d3f119cd8d9e99028f968db1ee108eb6f05db09#raddb/certs/Makefile

with

+ca.key ca.pem: ca.cnf index.txt serial

makes ca.key dependant to the date of index.txt and serial

Both files are updated every time a new client cert is build. IMHO.


Good catch! Yes, every time you generate a client cert both the database 
(index.txt) and the serial number file are updated. The database file 
keeps a record of every cert issued by the CA. The serial file is used 
so the CA knows the next serial number to use.


The cert generation only works once, the next client cert issue causes a 
new CA key/cert to be generated.


But there is another problem as well. The client.cnf file embeds the 
cert subject name. Apparently the openssl ca command will not update the 
database if there already is a cert with the same subject, which there 
will be unless you edit the client.cnf file. This causes the ca command 
to fail. It doesn't matter if the cert with the duplicate subject has a 
different serial number.


As for why in different circumstances you've seen openssl emit the error 
about incomplete data my best guess is the client files might have be 
corrupted when the ca command failed. If it were only a CA key change 
issue you should have just gotten a bad signature verification failure.


HTH,

John


--
John Dennis 

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: suddenly problem with certificates / error in SSLv3 read client certificate B

[Stephan Manske]

Am 23.01.2013, 21:03 Uhr, schrieb Alan DeKok :

Stephan Manske wrote:



Unless the makefile in certs is provided by openssl, but I think this is
freeradius stuff, or?



  It works for *everyone* else.  If you didn't use the Makefiles to
create the certs, then don't blame FreeRADIUS.  If you did use them,


I do not blame anybody.

I have a problem using the makefile, I am only a little user and I tried  
to figure out, what is the problem. And I found a patch  
https://github.com/FreeRADIUS/freeradius-server/commit/2d3f119cd8d9e99028f968db1ee108eb6f05db09#raddb/certs/Makefile

that makes these trouble to me, so I report this. No blame, no offense.


  FreeRADIUS doesn't implement SSL.  OpenSSL does.  FreeRADIUS doesn't
parse certs.  OpenSSL does.

  Is that clear enough?


tell me, if I am wrong: (again, no offense! I do not have the deep look  
into this stuff, I can only ask questions at my level of understanding the  
code)


the actual makefile has:

ca.key ca.pem: ca.cnf index.txt serial

this makes ca.key dependant to the date of index.txt and serial.

Right?

Both files are updated every time a new client cert is build.

Right?

So, makefile thinks ca.key is outdated and should be renewed. (before the  
patch, makefile does not care about index.txt and serial)


Right?

If yes, please read my posting from 19:53:53 benevolently.

Thanks,
Stephan

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: suddenly problem with certificates / error in SSLv3 read client certificate B

[A . L . M . Buxey]

Hi,

> IMHO these patch
> https://github.com/FreeRADIUS/freeradius-server/commit/2d3f119cd8d9e99028f968db1ee108eb6f05db09#raddb/certs/Makefile
> 
> with
> 
> +ca.key ca.pem: ca.cnf index.txt serial

you stated earlier that you didnt touch freeradius...that all you did was 
update 
OpenSSL to the latest version to be affected by any change to certificate 
makefiles
etc you would have had to update/play with freeradius too. which you stated you 
didnt do.

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: suddenly problem with certificates / error in SSLv3 read client certificate B

[Alan DeKok]

Stephan Manske wrote:
> I think I found the issue:
...
> makes ca.key dependant to the date of index.txt and serial
> 
> Both files are updated every time a new client cert is build. IMHO.

  OK.  That's a better explanation than "FreeRADIUS is wrong".

  There's a fix on github, which will be in 2.2.1.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: suddenly problem with certificates / error in SSLv3 read client certificate B

[Alan DeKok]

Stephan Manske wrote:
> Unless the makefile in certs is provided by openssl, but I think this is
> freeradius stuff, or?

  The Makefile I pointed to was written by me.  It runs OpenSSL scripts
to create certificates.  It uses sample configurations written by me.

  It works for *everyone* else.  If you didn't use the Makefiles to
create the certs, then don't blame FreeRADIUS.  If you did use them,
then blame OpenSSL for creating certificates it can't read.

  FreeRADIUS doesn't implement SSL.  OpenSSL does.  FreeRADIUS doesn't
parse certs.  OpenSSL does.

  Is that clear enough?

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: suddenly problem with certificates / error in SSLv3 read client certificate B

[Stephan Manske]

Am 22.01.2013, 22:19 Uhr, schrieb Alan DeKok :

Stephan Manske wrote:



[tls] --> verify return:1
--> verify error:num=7:certificate signature failure
[tls] >>> TLS 1.0 Alert [length 0002], fatal decrypt_error
TLS Alert write:fatal:decrypt error
TLS_accept: error in SSLv3 read client certificate B
rlm_eap: SSL error error:04067084:rsa
routines:RSA_EAY_PUBLIC_DECRYPT:data too large for modulus


  That's an SSL error.  It looks like the certificate being presented is
wrong, or the client has made a mistake in SSL.


I think I found the issue:

Yes, it is a ssl problem, the ca.key and all the certs are incompatible.

And no, it is not only a ssl problem, it is a freeradius problem, too:


I made a new client certificate and this can be verified:

#openssl verify -verbose -CAfile ca.pem 0B.pem
0B.pem: OK

I made a next one:

openssl verify -verbose -CAfile ca.pem 0C.pem
0C.pem: OK

but, the last one now:

)# openssl verify -verbose -CAfile ca.pem 0B.pem
0B.pem: C = DE, ST = Somewhere, O = Manske EIS, OU = Radius_Managment, CN  
=  Smart, emailAddress = user@mail.example

error 7 at 0 depth lookup:certificate signature failure
3074770568:error:0407006A:rsa  
routines:RSA_padding_check_PKCS1_type_1:block type is not 01:rsa_pk1.c:100:
3074770568:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding  
check failed:rsa_eay.c:721:
3074770568:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP  
lib:a_verify.c:215:



IMHO these patch
https://github.com/FreeRADIUS/freeradius-server/commit/2d3f119cd8d9e99028f968db1ee108eb6f05db09#raddb/certs/Makefile

with

+ca.key ca.pem: ca.cnf index.txt serial

makes ca.key dependant to the date of index.txt and serial

Both files are updated every time a new client cert is build. IMHO.

And so, I have a look at the cert generation:

# touch serial
# make client
openssl req -new  -out client.csr -keyout client.key -config ./client.cnf
Generating a 2048 bit RSA private key
.+++
...+++
writing new private key to 'client.key'
-
openssl req -new -x509 -keyout ca.key -out ca.pem \
-days `grep default_days ca.cnf | sed 's/.*=//;s/^ *//'` -config  
./ca.cnf

Generating a 2048 bit RSA private key
.+++
+++
writing new private key to 'ca.key'

# touch serial
# make client
openssl req -new -x509 -keyout ca.key -out ca.pem \
-days `grep default_days ca.cnf | sed 's/.*=//;s/^ *//'` -config  
./ca.cnf

Generating a 2048 bit RSA private key
.+++
..+++
writing new private key to 'ca.key'
-

and so on ...


With this new generated ca.key the older certs are not able to validate  
anymore. But I do not think, that it is wanted to generate a new ca.key  
every time, or am I wrong?




This looks similar to

https://github.com/FreeRADIUS/freeradius-server/commit/7394b88e4725d47727338400665396d3e96ac1a2#raddb/certs/Makefile

69  -server.crt: server.csr ca.key ca.pem index.txt serial
69 +server.crt: server.csr ca.key ca.pem

before your patch I made this with an order-only prerequisites "|" in my  
private source:


server.crt: server.csr ca.key ca.pem | index.txt serial

I did this for the mentioned parts now, too

######
#
#  Create a new self-signed CA certificate
#
##
ca.key ca.pem: ca.cnf | index.txt serial
openssl req -new -x509 -keyout ca.key -out ca.pem \
-days $(CA_DEFAULT_DAYS) -config ./ca.cnf



and it works:

# touch serial
# make client
openssl req -new  -out client.csr -keyout client.key -config ./client.cnf
Generating a 2048 bit RSA private key
.+++
...+++
writing new private key to 'client.key'
-
openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr  -key `grep  
output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out client.crt  
-extensions xpclient_ext -extfile xpextensions -config ./client.cnf

Using configuration from ./client.cnf
Check that the request matches the signature
Signature ok
...

# touch serial
# make client
openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr  -key `grep  
output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out client.crt  
-extensions xpclient_ext -extfile xpextensions -config ./client.cnf

Using configuration from ./client.cnf
Check that the request matches the signature
Signature ok
Certificate Details:

even:

# touch serial
# make ca.key
make: `ca.key' is up to date.


I hope my thoughts are right and helpfull.


Ciao, Stephan

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: suddenly problem with certificates / error in SSLv3 read client certificate B

[Stephan Manske]

Am 23.01.2013, 19:53 Uhr, schrieb Stephan Manske  
:



Yes, it is a ssl problem, the ca.key and all the certs are incompatible.

And no, it is not only a ssl problem, it is a freeradius problem, too:


Unless the makefile in certs is provided by openssl, but I think this is  
freeradius stuff, or?


Ciao, Stephan

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: suddenly problem with certificates / error in SSLv3 read client certificate B

[Alan DeKok]

Stephan Manske wrote:
> regrettably no. All my certificate clients are affected. And there is at
> least one, namely my android, which connects every day. And this one has
> no problems for 3 days after update, and now it has the problem.

  Well, it's not a FreeRADIUS issue.  The error is in the SSL code, or
in the certificates.

> What is about all this stuff:
> 
> EAP-Message = 0x010304000dc009b3160301003102
> State = 0x7d1f9f227f1c92c8e3xx
> 
> and so on?

  There's nothing secret in that.

> Am I right when I suggest this certificate B is the CA certificate?

  I'm not really sure... the OpenSSL messages are vague.

> The certificate A has no problems (in the majority of cases I found via
> google cert A was the problem).
> 
>>   I would suggest manually verifying the certificates using the
>> "openssl" command-line tool.  It may be that the signatures are broken.
> 
> any hint where I can found more to read about what I should test? Which
> parameters I have to use with openssl command?

  See raddb/certs/Makefile, it's all there.

> And there is no way to tell freeradius to tell openssl to give more
> debug informations in this moment?

  That *is* all of the information OpenSSL can provide.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: suddenly problem with certificates / error in SSLv3 read client certificate B

[Stephan Manske]

Am 22.01.2013, 23:44 Uhr, schrieb Alan DeKok :

Stephan Manske wrote:



any hint where I can found more to read about what I should test? Which
parameters I have to use with openssl command?


  See raddb/certs/Makefile, it's all there.


OK, and I will try  my luck at Openssl community.


And there is no way to tell freeradius to tell openssl to give more
debug informations in this moment?


  That *is* all of the information OpenSSL can provide.


:-(


Thanks,
Stephan

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: suddenly problem with certificates / error in SSLv3 read client certificate B

[Stephan Manske]

Am 22.01.2013, 22:19 Uhr, schrieb Alan DeKok :

Stephan Manske wrote:



to

Internal Program Version: OpenSSL  1.0.1c


  That might be the issue.  It's hard to say.  SSL is magic.


But I did this over three days before the errors occured. In the
meantime freeradius worked well.


  Maybe there's one client which *didn't* get login until after 3 days.


regrettably no. All my certificate clients are affected. And there is at  
least one, namely my android, which connects every day. And this one has  
no problems for 3 days after update, and now it has the problem.



So, here is a shorten output of radiusd -X (I hope I do not shorten
important things - btw, are there parts of such an debug output I should
keep secret?)


  Passwords, shared secrets.


What is about all this stuff:

EAP-Message = 0x010304000dc009b3160301003102
State = 0x7d1f9f227f1c92c8e3xx

and so on?




[tls] --> verify return:1
--> verify error:num=7:certificate signature failure
[tls] >>> TLS 1.0 Alert [length 0002], fatal decrypt_error
TLS Alert write:fatal:decrypt error
TLS_accept: error in SSLv3 read client certificate B
rlm_eap: SSL error error:04067084:rsa
routines:RSA_EAY_PUBLIC_DECRYPT:data too large for modulus


  That's an SSL error.  It looks like the certificate being presented is
wrong, or the client has made a mistake in SSL.


Am I right when I suggest this certificate B is the CA certificate?

The certificate A has no problems (in the majority of cases I found via  
google cert A was the problem).



  I would suggest manually verifying the certificates using the
"openssl" command-line tool.  It may be that the signatures are broken.


any hint where I can found more to read about what I should test? Which  
parameters I have to use with openssl command?



 And the OpenSSL upgrade added code which checked for that, where the
older version of OpenSSL didn't check.



  For SSL issues, we're completely at the mercy of OpenSSL.  If it says
"bad certificate", then no amount of poking FreeRADIUS will make it
work.  You've just got to create good certificates.


And there is no way to tell freeradius to tell openssl to give more debug  
informations in this moment?


Ciao, Stephan

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: suddenly problem with certificates / error in SSLv3 read client certificate B

[Alan DeKok]

Stephan Manske wrote:
> first of all: this should not be a "how must I config my freeradius to
> work?" problem. These installation with these certificates and these
> config worked for over 8 month very well. And suddenly I got the problem.

  OK.

> changes before the problem occurs: I updated openssl-packages from
> 
> Internal Program Version: OpenSSL  1.0.0j
> also included the old version 0.9.7m
> also included the old version 0.9.8x
> 
> to
> 
> Internal Program Version: OpenSSL  1.0.1c

  That might be the issue.  It's hard to say.  SSL is magic.

> But I did this over three days before the errors occured. In the
> meantime freeradius worked well.

  Maybe there's one client which *didn't* get login until after 3 days.

> So, here is a shorten output of radiusd -X (I hope I do not shorten
> important things - btw, are there parts of such an debug output I should
> keep secret?)

  Passwords, shared secrets.

> [tls] --> verify return:1
> --> verify error:num=7:certificate signature failure
> [tls] >>> TLS 1.0 Alert [length 0002], fatal decrypt_error
> TLS Alert write:fatal:decrypt error
> TLS_accept: error in SSLv3 read client certificate B
> rlm_eap: SSL error error:04067084:rsa
> routines:RSA_EAY_PUBLIC_DECRYPT:data too large for modulus

  That's an SSL error.  It looks like the certificate being presented is
wrong, or the client has made a mistake in SSL.

  I would suggest manually verifying the certificates using the
"openssl" command-line tool.  It may be that the signatures are broken.
 And the OpenSSL upgrade added code which checked for that, where the
older version of OpenSSL didn't check.

  For SSL issues, we're completely at the mercy of OpenSSL.  If it says
"bad certificate", then no amount of poking FreeRADIUS will make it
work.  You've just got to create good certificates.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

suddenly problem with certificates / error in SSLv3 read client certificate B

[Stephan Manske]

Hello!

I have a huge problem with freeradius 2.2.0  on my eisfair server  
(www.eisfair.org) and users using certificates to authenticate.


first of all: this should not be a "how must I config my freeradius to  
work?" problem. These installation with these certificates and these  
config worked for over 8 month very well. And suddenly I got the problem.


Every client with user/pass works still fine.

The problem is about the users with certificates (windows xp and android).

the certificates are not outdated:

list of active certificates:
V 13-01-28 13:16:17 Z   01  unknown
  /C=DE/ST=Somewhere/O=Manske EIS/OU=Radius_Managment/CN=Manske  
Radius/emailAddress=xxx

(the server certificate)

V 14-02-17 13:16:54 Z   02  unknown
  /C=DE/ST=Somewhere/O=Manske EIS/OU=Radius_Managment/CN=User  
Name/emailAddress=xxx

(one of the problematic user certificates)


I tried it with check_crl = yes and no



changes before the problem occurs: I updated openssl-packages from

Internal Program Version: OpenSSL  1.0.0j
also included the old version 0.9.7m
also included the old version 0.9.8x

to

Internal Program Version: OpenSSL  1.0.1c

also included the old version 0.9.8x



But I did this over three days before the errors occured. In the meantime  
freeradius worked well.



So, here is a shorten output of radiusd -X (I hope I do not shorten  
important things - btw, are there parts of such an debug output I should  
keep secret?)



Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.x.x port 2049, id=2,  
length=141

User-Name = "User Name"
NAS-IP-Address = 192.168.x.x

# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "User Name", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 0 length 19
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry User Name at line 8
[files] expand: Hello, %{User-Name} -> Hello, User Name
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.   
Authentication may fail because of this.

++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled

[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/tls
[eap] processing type tls
[tls] Requiring client certificate
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 2 to 192.168.x.x port 2049
Reply-Message = "Hello, User Name"
EAP-Message = 0x010200060d20
Message-Authenticator = 0x00xx
State = 0x7d1f9f227c1d92c8e39x
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.x.x port 2049, id=2,  
length=227



[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry User Name at line 8
[files] expand: Hello, %{User-Name} -> Hello, User Name
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
  TLS Length 77
[tls] Length Included
[tls] eaptls_verify returned 11
[tls] (other): before/accept initialization
[tls] TLS_accept: before/accept initialization
[tls] <<< TLS 1.0 Handshake [length 0048], ClientHello
[tls] TLS_accept: SSLv3 read client hello A
[tls] >>> TLS 1.0 Handshake [length 0031], ServerHello
[tls] TLS_accept: SSLv3 write server hello A
[tls] >>> TLS 1.0 Handshake [length 08bb], Certificate
[tls] TLS_accept: SSLv3 write certificate A
[tls] >>> TLS 1.0 Handshake [length 00b8], CertificateRequest
[tls] TLS_accept: SSLv3 write certificate request A
[tls] TLS_accept: SSLv3 flush data
[tls] TLS_accept: Need to read more data: SSLv3 read client  
certificate A

In SSL Handshake Phase
In SSL Accept mode
[tls] eaptls_process returned 13
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
  TLS Length 77
[tls] Length Included
[tls] eaptls_verify returned 11
[tls] (other)

Re: EAP / MSCHAP / Certificate Troubles

[Jordan Dohms]

Thanks.  Spent far too long looking at my certificates :)  Just needed
to give samba/winbind a restart.

J

On Thu, Nov 8, 2012 at 2:05 PM, Phil Mayers  wrote:
> On 11/08/2012 06:45 PM, Jordan Dohms wrote:
>
>> EAP-MSCHAPV2: Invalid authenticator response in success request
>
>
> This suggests the problem isn't certs, since you're inside the PEAP tunnel
> at this point.
>
> Check that samba/winbind are working ok, patched to the same level, etc. -
> it looks like the "well" known "mangling mschap response" issue.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP / MSCHAP / Certificate Troubles

[Phil Mayers]

On 11/08/2012 06:45 PM, Jordan Dohms wrote:


EAP-MSCHAPV2: Invalid authenticator response in success request


This suggests the problem isn't certs, since you're inside the PEAP 
tunnel at this point.


Check that samba/winbind are working ok, patched to the same level, etc. 
- it looks like the "well" known "mangling mschap response" issue.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

EAP / MSCHAP / Certificate Troubles

[Jordan Dohms]

Hey,

I need a bit of assistance.  Brief summary: I have two RADIUS servers
connected to different Active Directory domains.  I got through the
basic setup, EAP-PEAP / MSCHAP were working successfully
authenticating against both domains.

Then:
- I upgraded freeradius on both from 2.1.10 to 2.2.0.
- I generated new 'production' certificates on both servers.

Now one of them is broken.  Broken to the point where I can't even get
eapol_test to run with success (though ntlm_auth still authenticates
against AD properly).  Since I was getting the "EAP session for state
0x56783e8f517027f8 did not finish!" error, I figured I messed
something up badly with my new certs, so I blew away my
/etc/freeradius directory, reinstalled freeradius 2.2.0 again and
started from the ground up (it recreated the default certs).  Still
the same problem.  The other box is working flawlessly with 2.2.0 and
'production' certs.

>From Server:
$ eapol_test -c peap-mschapv2.conf -s XXX

Output on successful server:
[snip]
EAP: EAP entering state RECEIVED
EAP: Received EAP-Success
EAP: EAP entering state SUCCESS
CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully
EAPOL: IEEE 802.1X for plaintext connection; no EAPOL-Key frames required
WPA: EAPOL processing complete
EAPOL: SUPP_PAE entering state AUTHENTICATED
EAPOL: SUPP_BE entering state RECEIVE
EAPOL: SUPP_BE entering state SUCCESS
EAPOL: SUPP_BE entering state IDLE
eapol_sm_cb: success=1
EAPOL: Successfully fetched key (len=32)
PMK from EAPOL - hexdump(len=32): fe a7 76 cd 59 70 e1 d2 fb 1d fe 66
32 7c 12 d5 5f f4 29 12 8b 82 0a 17 36 83 a1 b7 93 71 fb 61
EAP: deinitialize previously used EAP method (25, PEAP) at EAP deinit
ENGINE: engine deinit
MPPE keys OK: 1  mismatch: 0
SUCCESS


Output on failed server:
[snip]
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request id=8 method=25 vendor=0 vendorMethod=0
EAP: EAP entering state METHOD
SSL: Received packet(len=91) - Flags 0x00
EAP-PEAP: received 85 bytes encrypted data for Phase 2
EAP-PEAP: Decrypted Phase 2 EAP - hexdump(len=47): 1a 03 07 00 2e 53
3d 46 45 36 37 32 46 35 44 33 34 42 31 30 34 34 43 31 30 44 33 34 39
30 33 41 41 43 31 34 35 34 34 34 35 43 43 45 32 32 39
EAP-PEAP: received Phase 2: code=1 identifier=8 length=51
EAP-PEAP: Phase 2 Request: type=26
EAP-MSCHAPV2: RX identifier 8 mschapv2_id 7
EAP-MSCHAPV2: Received success
EAP-MSCHAPV2: Invalid authenticator response in success request
EAP: method process -> ignore=FALSE methodState=MAY_CONT decision=FAIL
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
EAPOL: startWhen --> 0
EAPOL test timed out
EAPOL: EAP key not available
EAP: deinitialize previously used EAP method (25, PEAP) at EAP deinit
ENGINE: engine deinit
MPPE keys OK: 0  mismatch: 1
FAILURE


And on the server debug, when it fails, I get an Access-Challenge,
followed by "EAP session for state 0x56783e8f517027f8 did not finish!"
 It's not Windows though, so I'm puzzled.

Server output on failure:
Sending Access-Challenge of id 7 to 127.0.0.1 port 48493
EAP-Message =
0x0108005b19001703010050cdc6ba2c896eb5118cfb064080452617ab9dac048c60afbdb3a962afa01555069719ac14235bae1e3108e284d27ef322609824fe6898c5cc497db9833039b37e92c921285a0b9bdbcafc0861676b5082
Message-Authenticator = 0x
State = 0xa24b0ed9a54317a0931e3b8d4f719448
Thu Nov  8 11:26:17 2012 : Info: Finished request 16.
Thu Nov  8 11:26:17 2012 : Debug: Going to the next request
Thu Nov  8 11:26:17 2012 : Debug: Waking up in 4.9 seconds.
Thu Nov  8 11:26:22 2012 : Info: Cleaning up request 9 ID 0 with timestamp +510
Thu Nov  8 11:26:22 2012 : Info: Cleaning up request 10 ID 1 with timestamp +510
Thu Nov  8 11:26:22 2012 : Info: Cleaning up request 11 ID 2 with timestamp +511
Thu Nov  8 11:26:22 2012 : Info: Cleaning up request 12 ID 3 with timestamp +511
Thu Nov  8 11:26:22 2012 : Info: Cleaning up request 13 ID 4 with timestamp +511
Thu Nov  8 11:26:22 2012 : Info: Cleaning up request 14 ID 5 with timestamp +511
Thu Nov  8 11:26:22 2012 : Info: Cleaning up request 15 ID 6 with timestamp +511
Thu Nov  8 11:26:22 2012 : Info: Cleaning up request 16 ID 7 with timestamp +511
Thu Nov  8 11:26:22 2012 : Debug: WARNING:
!!
Thu Nov  8 11:26:22 2012 : Debug: WARNING: !! EAP session for state
0xa24b0ed9a54317a0 did not finish!
Thu Nov  8 11:26:22 2012 : Debug: WARNING: !! Please read
http://wiki.freeradius.org/Certificate_Compatibility
Thu Nov  8 11:26:22 2012 : Debug: WARNING:
!!



Things I've already checked:
 - eap.conf is identical on both servers (I copied it over).
 - There were some old discussions about a Samba bug, but both servers
are running 3.5.6.
 - radtest with PAP / users file is still working successfully.

Can someone point me in the right direction?  Where should I be
looking?  Is something lingering from my certificates fail

Please ignore - unable to get common name from peer certificate

[Wegener, Norbert]

Please ignore. There was a typo in my config.


With best regards,


Norbert Wegener

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

TLS: unable to get common name from peer certificate

[Wegener, Norbert]

I can authenticate against a ldap server. That server also offers ldaps, which 
I would like to use.
When trying  ldaps connection I get:

[ldap]  expand: dc=dom,dc=MYCOMPANY,dc=NET -> dc=dom,dc=MYCOMPANY,dc=NET
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] attempting LDAP reconnection
[ldap] (re)connect to 10.0.2.13:636, authentication 0
[ldap] setting TLS mode to 1
[ldap] bind as a...@dom.mycompany.net/secret to 10.0.2.13:636
TLS: unable to get common name from peer certificate.
[ldap] a...@dom.mycompany.net bind to 10.0.2.13:636 failed: Can't contact LDAP 
server
[ldap] (re)connection attempt failed

Is this a problem of freeradius (I am using 2.1.12) or something with the ldap 
server?



With best regards,


Norbert Wegener

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Help with 802.1x Certificate

[Carl Peterson]

You have three possible issues.

1). You need to chain all of the certs into one file.

2). MS requires that the cert have a "special purpose".  This is documented
and needs to be included in the CSR.  BS, but that's MS for you.

3). MS might not like wild cards.  Not sure about this but it may be an
issue.  Easy enough to test.  If 1 and 2 don't work, try with a
non-wildcard cert +1 and 2.  Post your results so we can all learn from it.

Carl Peterson



On Sep 14, 2012, at 10:44 AM, Tyller D  wrote:



On Fri, Sep 14, 2012 at 4:07 PM, Alan DeKok wrote:

> Tyller D wrote:
> > I have everything configured and working when I disabled "validate
> > server Certificate" on windows.
> > I have a wildcard certificate purchased from godaddy.com.
>
>   I'm not sure that will work.
>

Is there a reason for that? Godaddy is in the list of servers to validate
against?



>  > I had a problem when using it with apache as I had to add the
> > intermediate chain in the config but can't find a place to do that in
> > FreeRaius.
>
>   You should have the CA cert, and all of the certs leading to the
> server certificate.
>

Correct, I do. But which one do add as "certificate_file" in eap.conf?


>
> > When Auth fails because of validation then I get this in Freeradius debug
>
>   So... did you read eap.conf, and configure the certificates as
> documented there?
>
>
Are you referring to this?

  - Windows requires the root certificates to be on the client PC.
If it doesn't have them, you will see the same issue as above.

I'm just guessing but it seems like that would be the cause.



> > Is there something that I can do to get this to work?
>
>   Read the documentation?
>

My question is, all the certificates leading to the  server certifcate -
where do I add them?

>
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Help with 802.1x Certificate

[Alan DeKok]

Tyller D wrote:
> Is there a reason for that? Godaddy is in the list of servers to
> validate against?

  Because Windows has certain magical requirements on certificates.  If
the godaddy cert doesn't have them, authentication will fail.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Help with 802.1x Certificate

[Phil Mayers]

On 14/09/12 15:38, Tyller D wrote:



On Fri, Sep 14, 2012 at 4:07 PM, Alan DeKok mailto:al...@deployingradius.com>> wrote:

Tyller D wrote:
 > I have everything configured and working when I disabled "validate
 > server Certificate" on windows.
     > I have a wildcard certificate purchased from godaddy.com
<http://godaddy.com>.

   I'm not sure that will work.

Is there a reason for that? Godaddy is in the list of servers to
validate against?


The wildcard might cause difficulty.

On the other hand, Windows might pay the wildcard no attention.


My question is, all the certificates leading to the  server certifcate -
where do I add them?


In the same file. This is documented in the default eap.conf:

#  If CA_file (below) is not used, then the
#  certificate_file below MUST include not
#  only the server certificate, but ALSO all
#  of the CA certificates used to sign the
#  server certificate.
certificate_file = ${certdir}/server.pem

That is, you put the sever, intermediate and (optionally) root cert into 
${certdir}/server.pem

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Help with 802.1x Certificate

[Tyller D]

On Fri, Sep 14, 2012 at 4:07 PM, Alan DeKok wrote:

> Tyller D wrote:
> > I have everything configured and working when I disabled "validate
> > server Certificate" on windows.
> > I have a wildcard certificate purchased from godaddy.com.
>
>   I'm not sure that will work.
>

Is there a reason for that? Godaddy is in the list of servers to validate
against?



> > I had a problem when using it with apache as I had to add the
> > intermediate chain in the config but can't find a place to do that in
> > FreeRaius.
>
>   You should have the CA cert, and all of the certs leading to the
> server certificate.
>

Correct, I do. But which one do add as "certificate_file" in eap.conf?


>
> > When Auth fails because of validation then I get this in Freeradius debug
>
>   So... did you read eap.conf, and configure the certificates as
> documented there?
>
>
Are you referring to this?

  - Windows requires the root certificates to be on the client PC.
If it doesn't have them, you will see the same issue as above.

I'm just guessing but it seems like that would be the cause.



> > Is there something that I can do to get this to work?
>
>   Read the documentation?
>

My question is, all the certificates leading to the  server certifcate -
where do I add them?

>
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Help with 802.1x Certificate

[Alan DeKok]

Tyller D wrote:
> I have everything configured and working when I disabled "validate
> server Certificate" on windows.
> I have a wildcard certificate purchased from godaddy.com.

  I'm not sure that will work.

> I had a problem when using it with apache as I had to add the
> intermediate chain in the config but can't find a place to do that in
> FreeRaius.

  You should have the CA cert, and all of the certs leading to the
server certificate.

> When Auth fails because of validation then I get this in Freeradius debug

  So... did you read eap.conf, and configure the certificates as
documented there?

> Is there something that I can do to get this to work?

  Read the documentation?

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Help with 802.1x Certificate

[Phil Mayers]

On 14/09/12 14:46, Tyller D wrote:

Hi all,

I would like to use FreeRadius to do 802.1x EAP-PEAP for wireless users.

I have everything configured and working when I disabled "validate
server Certificate" on windows.
I have a wildcard certificate purchased from godaddy.com
<http://godaddy.com>.





I had a problem when using it with apache as I had to add the
intermediate chain in the config but can't find a place to do that in
FreeRaius.


Put the cert and the intermediate in the same file and use that as your 
"certificate_file". FreeRADIUS will pass it to OpenSSL, which will 
figure it out.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Help with 802.1x Certificate

[Tyller D]

Hi all,

I would like to use FreeRadius to do 802.1x EAP-PEAP for wireless users.

I have everything configured and working when I disabled "validate server
Certificate" on windows.
I have a wildcard certificate purchased from godaddy.com.

I had a problem when using it with apache as I had to add the intermediate
chain in the config but can't find a place to do that in FreeRaius.

So currently I have 3 files.

Private Key
Certificate
Intermediate Chain

When Auth fails because of validation then I get this in Freeradius debug

[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Alert [length 0002], fatal access_denied
TLS Alert read:fatal:access denied
[peap] WARNING: No data inside of the tunnel.
[peap] eaptls_process returned 7


Is there something that I can do to get this to work?

Regards,
Ryan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Windows 7 Certificate

[Phil Mayers]

On 26/07/12 11:17, Ismael Yáñez wrote:


I click on connect and it works, but I would like, if possible, to
make this pop up disappear.


Pre-configure the trusted server cert and name under the network 
profile. You can do this using "netsh" XML profiles, Group Policy, or a 
tool such as su1x or others.




Has anyone had this issue and if so know how to make it disappear?


It's normal. Windows doesn't know which of the known certs it should 
accept on a given connection until you tell it.


To be clear: the cert *is* built into windows. But you still need to 
tick the box next to it in the connect properties.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Windows 7 Certificate

[Ismael Yáñez]

Hi everybody,

I just installed and configured FreeRADIUS 2.1.10 successfully. I am using it 
to authenticate Wifi users. I got trial certificates from GeoTrust, which are 
supposed to be accepted by windows 7.

The thing is, that when I try to connect to to my wifi network a window pops up 
saying something like (original is german):

The server "xx.xx.xx" presented a valid certificate from "GeoTrust Global CA", 
"GeoTrust Global CA" is however not configured as a valid anchor for the 
profile. In addition, the server "xx.xx.xx", which is being used to establish 
the connection,  is not configured as a valid NPS server for the profile.

(Original message in german)
Der Server "xx.xx.xx" stellte ein gültiges, von "GeoTrust Global CA" 
ausgestelltes Zertifikat dar. "GeoTrust Global CA" ist jedoch nicht als 
gültiger Vertrauensanker für das Profil konfiguriert. Außerdem ist der Server 
"xx.xx.xx" für das Profil nicht als gültiger NPS-Server konfiguriert, mit dem 
Verbindungen hergestellt werden können.
(End of original message

I click on connect and it works, but I would like, if possible, to make this 
pop up disappear.

Has anyone had this issue and if so know how to make it disappear?

Regards,
-- 
Ismael Yáñez A.
Systemadministration

Rocket Internet GmbH | Johannisstraße 20 | 10117 Berlin | Deutschland
mobile: +49 162 290 4698 | mail: ismael.ya...@rocket-internet.de | skype: 
ismaelrocket
www.rocket-internet.de

Geschäftsführer: Dr. Johannes Bruder, Arnt Jeschke, Alexander Kudlich
Eingetragen beim Amtsgericht Berlin, HRB 109262 USt-ID DE256469659

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Certificate validation checkbox - windows 7 wired

[Morris, Andi]

Cheers both,
this is only happening for wired clients, so it's definitely not that they're 
wandering out of AP range.  Very odd why it would only happen for wired clients 
though.

Interesting to read that it's not necessarily a problem with the certificate, 
I'll double and triple check all my mschap and ntlm_auth configs first thing 
tomorrow.

I'll see if it still happens after I reinstall tomorrow and post full debugs 
and configs if so.

Thanks,
Andi

From: freeradius-users-bounces+amorris=cardiffmet.ac...@lists.freeradius.org 
[freeradius-users-bounces+amorris=cardiffmet.ac...@lists.freeradius.org] on 
behalf of Phil Mayers [p.may...@imperial.ac.uk]
Sent: 24 July 2012 17:13
To: freeradius-users@lists.freeradius.org
Subject: Re: Certificate validation checkbox - windows 7 wired

On 24/07/12 16:47, Morris, Andi wrote:
> Hi all,
>
> I'm getting an odd problem where even when my clients are configured not
> to validate the server certificate (test environment at the mo) on their
> wired connections they are failing to authenticate on one freeradius
> server but getting access-accept on another.
>
> Debug output shows the familiar:

Can you show the full debug?

It is VERY occasionally not SSL validation, but a failure of MSCHAP
mutual auth that causes this; often Samba has "gone funny", or there's
some ntlm_auth misconfiguration.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


From 1st November 2011 UWIC changed its title to Cardiff Metropolitan 
University. From the 6th December 2011, as part of this change, all email 
addresses which included @uwic.ac.uk have changed to @cardiffmet.ac.uk. All 
emails sent from Cardiff Metropolitan University will now be sent from the new 
@cardiffmet.ac.uk address. Please could you ensure that all of your contact 
records and databases are updated to reflect this change. Further information 
can be found on the website 
here.<http://www3.uwic.ac.uk/English/News/Pages/UWIC-Name-Change.aspx>

Ar Dachwedd y 1af 2011 newidiodd UWIC ei henw i Brifysgol Fetropolitan 
Caerdydd. O Ragfyr 6ed, fel rhan o'r newid yma, bydd pob cyfeiriad e-bost sy'n 
cynnwys @uwic.ac.uk yn newid i @cardiffmet.ac.uk. Bydd yr holl ebyst a 
ddanfonir o Brifysgol Fetropolitan Caerdydd yn cael eu danfon o‘r cyfeiriad 
@cardiffmet.ac.uk newydd. Gwnewch yn siwr eich bod yn diweddaru eich cofnodion 
cyswllt a'ch cronfeydd data i adlewyrchu hyn. Gellir cael rhagor o wybodaeth ar 
y wefan yma.<http://www3.uwic.ac.uk/English/News/Pages/UWIC-Name-Change.aspx>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Certificate validation checkbox - windows 7 wired

[Phil Mayers]

On 24/07/12 16:47, Morris, Andi wrote:

Hi all,

I'm getting an odd problem where even when my clients are configured not
to validate the server certificate (test environment at the mo) on their
wired connections they are failing to authenticate on one freeradius
server but getting access-accept on another.

Debug output shows the familiar:


Can you show the full debug?

It is VERY occasionally not SSL validation, but a failure of MSCHAP 
mutual auth that causes this; often Samba has "gone funny", or there's 
some ntlm_auth misconfiguration.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Certificate validation checkbox - windows 7 wired

[Matthew Newton]

On Tue, Jul 24, 2012 at 03:47:03PM +, Morris, Andi wrote:
> I'm getting an odd problem where even when my clients are
> configured not to validate the server certificate (test
> environment at the mo) on their wired connections they are
> failing to authenticate on one freeradius server but getting
> access-accept on another.

That error is generated when the client goes away in the middle of
the EAP transaction. The most usual is that a Windows client sees
a server certificate that it doesn't like for some reason, such as
it missing the OIDs that Microsoft decided should be included.
Hence the certificate compatibility problem.

If you copy the server certs from the working server to the broken
one, does it all start to work then?

However, the client rejecting the cert isn't the only cause of
this - anything that causes the client to stop doing EAP can give
that error, for example client wandering out of range at the wrong
moment, or the wireless system (AP / wireless controller / etc)
disconnecting the client for some reason. EAP timers in Cisco
Wireless Controllers can give this issue if set incorrectly (e.g.
to the defaults... :) )

The error is basically "Hey, I was talking to you, but you've
stopped responding".

> Can anybody shed any light please?

Diff the configs & certs for a start.

Matthew



-- 
Matthew Newton, Ph.D. 

Systems Architect (UNIX and Networks), Network Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, 
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Certificate validation checkbox - windows 7 wired

[Morris, Andi]

Hi all,

I'm getting an odd problem where even when my clients are configured not to 
validate the server certificate (test environment at the mo) on their wired 
connections they are failing to authenticate on one freeradius server but 
getting access-accept on another.



Debug output shows the familiar:

WARNING: !!
WARNING: !! EAP session for state 0xbec39c4bbac58529 did not finish!
WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility
WARNING: !!



I accept that it's very likely I've messed something up with install of the 
secondary server, and am planning to wipe it and start again tomorrow and THEN 
introduce the production certificates, but I'm confused as to why this 
certificate compatibility issue would even be mentioned in the debug if my 
client is set to validate any server.



The odd thing is that my wireless clients are authenticating fine through this 
server, also set to not validate the server.



Can anybody shed any light please?



Cheers,

Andi



>From 1st November 2011 UWIC changed its title to Cardiff Metropolitan 
>University. From the 6th December 2011, as part of this change, all email 
>addresses which included @uwic.ac.uk have changed to @cardiffmet.ac.uk. All 
>emails sent from Cardiff Metropolitan University will now be sent from the new 
>@cardiffmet.ac.uk address. Please could you ensure that all of your contact 
>records and databases are updated to reflect this change. Further information 
>can be found on the website 
>here.<http://www3.uwic.ac.uk/English/News/Pages/UWIC-Name-Change.aspx>

Ar Dachwedd y 1af 2011 newidiodd UWIC ei henw i Brifysgol Fetropolitan 
Caerdydd. O Ragfyr 6ed, fel rhan o'r newid yma, bydd pob cyfeiriad e-bost sy'n 
cynnwys @uwic.ac.uk yn newid i @cardiffmet.ac.uk. Bydd yr holl ebyst a 
ddanfonir o Brifysgol Fetropolitan Caerdydd yn cael eu danfon o‘r cyfeiriad 
@cardiffmet.ac.uk newydd. Gwnewch yn siwr eich bod yn diweddaru eich cofnodion 
cyswllt a'ch cronfeydd data i adlewyrchu hyn. Gellir cael rhagor o wybodaeth ar 
y wefan yma.<http://www3.uwic.ac.uk/English/News/Pages/UWIC-Name-Change.aspx>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: More certificate trouble

[alan buxey]

Hi,

>I’ve since found a complete version of eap.conf on the freeradiusd wiki
>which has helped with all the extra variables required.  My server was
>preconfigured and lots of the extra options had been removed.  Still not
>completely working, but I’m a little wiser on the subject anyway.

the source tarball from freeradius.org - eg freeradius-server-2.1.12.tar.gz has 
the definitive eap.conf

I'd strongly suggest getting hold of it and usingits provided raddb directory 
contents
as the main reference - as a config file that gets butchered is a pain to 
recover from and
doesnt let you know all the things you are missing..


alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html