Client certs with MSCHAPV2 in PEAP
I would like to configure this setup using Freeradius. My WinXP client (Intel ProSET) supports this, but FR chokes on it when enabled. I've got PEAP-EAP-MSCHAPV2 working with just password authentication. I noted this http://www.opensubscriber.com/message/freeradius-users@lists.freeradius.org/ 1873393.html but was unable to figure out where the DEFAULT EAP-TLS-Require-Client-Cert := Yes should be set. Relative Linux/Freeradius noob, FC4/2.6.15-1.1831 Freeradius 1.0.4 Thanks, Dan H - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Client certs with MSCHAPV2 in PEAP
Looks like that's set in the users file. As the entry for that email says DEFAULT. Dave Huff wrote: I would like to configure this setup using Freeradius. My WinXP client (Intel ProSET) supports this, but FR chokes on it when enabled. I've got PEAP-EAP-MSCHAPV2 working with just password authentication. I noted this http://www.opensubscriber.com/message/freeradius-users@lists.freeradius.org/ 1873393.html but was unable to figure out where the DEFAULT EAP-TLS-Require-Client-Cert := Yes should be set. Relative Linux/Freeradius noob, FC4/2.6.15-1.1831 Freeradius 1.0.4 Thanks, Dan H - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Client certs with MSCHAPV2 in PEAP
"Dave Huff" <[EMAIL PROTECTED]> wrote: > I would like to configure this setup using Freeradius. My WinXP client > (Intel ProSET) supports this, but FR chokes on it when enabled. Would you be willing to run the serve rin debugging mode, as suggested in the FAQ, README, INSTALL, and daily on this list? > I noted this > http://www.opensubscriber.com/message/freeradius-users@lists.freeradius.org/ > 1873393.html but was unable to figure out where the DEFAULT > EAP-TLS-Require-Client-Cert := Yes should be set. In the "users" file. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Client certs with MSCHAPV2 in PEAP
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf > Of Alan DeKok > > "Dave Huff" <[EMAIL PROTECTED]> wrote: > > I would like to configure this setup using Freeradius. My WinXP > > client (Intel ProSET) supports this, but FR chokes on it > when enabled. > > Would you be willing to run the serve rin debugging mode, > as suggested in the FAQ, README, INSTALL, and daily on this list? Sure, thought my question needed a quick answer, but here I've included the log AFTER inserting the line in the users file, and turning on the client cert part of MSCHAPV2 in ProSET: auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 0 modcall: group authenticate returns handled for request 0 Sending Access-Challenge of id 71 to 192.168.0.1:1201 EAP-Message = 0x010200061920 Message-Authenticator = 0x State = 0xd4448443a5823bb9ceffabd590f27721 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 71 with timestamp 43fcc0a4 Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 192.168.0.1:1201, id=72, length=243 User-Name = "[EMAIL PROTECTED]" NAS-IP-Address = 192.168.0.1 NAS-Port = 0 Called-Station-Id = "00-0f-3d-3f-49-92" Calling-Station-Id = "00-0e-35-60-27-1f" NAS-Identifier = "HomeAP" Framed-MTU = 1380 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0202006a19800060160301005b0157030143fcc0c5eb46025dd5e3662940ba6406 6bed01df2be7d94eb754c77da12672c33000390038003500160013000a00330032002f00 66000500040065006400630062006000150012000900140011000800030100 State = 0xd4448443a5823bb9ceffabd590f27721 Message-Authenticator = 0xdcd7050a2c3750c9314d44818cf15867 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: Looking up realm "b.com" for User-Name = "[EMAIL PROTECTED]" rlm_realm: No such realm "b.com" modcall[authorize]: module "suffix" returns noop for request 1 rlm_eap: EAP packet type response id 2 length 106 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1 users: Matched entry DEFAULT at line 75 modcall[authorize]: module "files" returns ok for request 1 modcall: group authorize returns updated for request 1 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 005b], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0780], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0074], CertificateRequest TLS_accept: SSLv3 write certificate request A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 1 modcall: group authenticate returns handled for request 1 Sending Access-Challenge of id 72 to 192.168.0.1:1201 EAP-Message = 0x0103040a19c0084d160301004a0246030143fcc0c6b503405d5825db4720dc2d66 93c9570afd72cd19086b5e9d890c2f4f2010fa22c781d6954b8b8a8a8d1e7c1f3fc0d5bbf96b c540e87c90018c4636459f00350016030107800b00077c00077900035d3082035930820241a0 03020102020102300d06092a864886f70d01010405003063310b300906035504061302555331 1530130603550408130c50656e6e73796c76616e69613112301006035504071309576f726365 7374657231153013060355040a130c4944205761746368646f67733112301006035504031309 54726f6f7065724341301e170d3036303231393033313332325a EAP-Message = 0x170d3037303231393033313332325a3064310b300906035504061302555331153013060355 0408130c50656e6e73796c76616e69613112301006035504071309576f726365737465723115 3013060355040a130c494420576174
Re: Client certs with MSCHAPV2 in PEAP
"Dave Huff" <[EMAIL PROTECTED]> wrote: > rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal > certificate_unknown > TLS Alert read:fatal:certificate unknown SSL is telling FreeRADIUS that the certificate sent by the client is bad. You're probably doing EAP-TLS where the server has one cert, and the client has cert signed by someone else entirely. For EAP-TLS to work, the client certs have to be signed by the server cert. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Client certs with MSCHAPV2 in PEAP
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf > Of Alan DeKok > > "Dave Huff" <[EMAIL PROTECTED]> wrote: > > rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal > > certificate_unknown TLS Alert read:fatal:certificate unknown > > SSL is telling FreeRADIUS that the certificate sent by the > client is bad. That's what I thought too, but I configured the CA, server, and client certs all on Openssl pretty much like http://www.cisco.com/en/US/products/ps6379/products_configuration_guide_chap ter09186a00805ac269.html Windows is using the cert I installed from the linux box, at least I have a choice in ProSET. If Windows overrides for some reason, I wouldn't know...can I set a debug mode that would tell me? > > You're probably doing EAP-TLS where the server has one > cert, and the client has cert signed by someone else > entirely. For EAP-TLS to work, the client certs have to be > signed by the server cert. Signed by the server cert or by the CA cert? I have a CA that signed the server and client certs, and the eap.conf file knows where server and CA certs are. Dan > > Alan DeKok. > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Client certs with MSCHAPV2 in PEAP
"Dave Huff" <[EMAIL PROTECTED]> wrote: > > For EAP-TLS to work, the client certs have to be > > signed by the server cert. > Signed by the server cert or by the CA cert? I have a CA that signed the > server and client certs, and the eap.conf file knows where server and CA > certs are. If you're using 1.0.x, that won't work. It doesn't do certificate chains. The client cert MUST be signed by the server cert. Using a CA to sign them, both won't work. I'm not even sure it will work in 1.1.0, to be honest. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Client certs with MSCHAPV2 in PEAP
Does this only apply if the supplicant uses a server cert during eap/tls? The reason I ask, is that I'm using a client cert signed by my CA to do eap/tls, and it's working. I have not implemented the server cert as of yet. -Bob Alan DeKok wrote: "Dave Huff" <[EMAIL PROTECTED]> wrote: For EAP-TLS to work, the client certs have to be signed by the server cert. Signed by the server cert or by the CA cert? I have a CA that signed the server and client certs, and the eap.conf file knows where server and CA certs are. If you're using 1.0.x, that won't work. It doesn't do certificate chains. The client cert MUST be signed by the server cert. Using a CA to sign them, both won't work. I'm not even sure it will work in 1.1.0, to be honest. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Client certs with MSCHAPV2 in PEAP
Robert Myers <[EMAIL PROTECTED]> wrote: > The reason I ask, is that I'm using a client cert signed by my CA to do > eap/tls, and it's working. I have not implemented the server cert as of > yet. Then it *should* work with PEAP. But I don't know of many people that use client certs with PEAP. I suspect no one has tested that, and that the client may be doing something different than with EAP-TLS. My suggestion is don't use client certs with PEAP. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
re: Client certs with MSCHAPV2 in PEAP
"Dave Huff" http://lists.freeradius.org/mailman/listinfo/freeradius-users>> wrote: / > For EAP-TLS to work, the client certs have to be />>/ > signed by the server cert. />>/ Signed by the server cert or by the CA cert? I have a CA that signed the />/> server and client certs, and the eap.conf file knows where server and CA />/> certs are. / If you're using 1.0.x, that won't work. It doesn't do certificate chains. The client cert MUST be signed by the server cert. Using a CA to sign them, both won't work. I'm not even sure it will work in 1.1.0, to be honest. Alan DeKok In 1.1.0 I have chained client certificates and for me EAP-TLS works, if the client does not require the server to authenticate itself. The client cert is not signed by the server cert. It seems to be neccessary,that if you have a root ca and an issuing ca, the CA_file must contain the certificates of both of them. If the client requires the server to authenticate itself, the whole process fails. Norbert Wegener - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html