Re: Multiple EAP-TLS modules with different certificates
Hi All, I just wanted to mark this thread as resolved. Alan DeKok a écrit : Yes. Others use multiple certs multiple EAP modules. Thanks for this answer, this confirms that I'm on the right way. Indeed it works now ;-) I'll make more tests and will triple check my setup now I know that it's possible. I had 2 issues: * My Access point controler wasn't really affecting the per-SSID NAS-Identifier attribute. I had to fix the setup. * My new certificate PEM file wasn't concatenated with the full certification path in correct order (moreover I was said the that respecting a bottom-up certification path order is sometimes important for the MSWindows supplicant). Many thanks to Alan for his great help. Best regards, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple EAP-TLS modules with different certificates
Hi Alan, Thank you for your prompt answer. Alan DeKok a écrit : Yes. Others use multiple certs multiple EAP modules. Thanks for this answer, this confirms that I'm on the right way. A quick look at FR debug logs confirms, as far as I can read them, that the client is refusing the radius server certificate. I don't think that's in the debug log. You're right it's not clearly writtent in the FR logs, but the fact the TLS exchanges just stop at a given time help me suppose the origin of the problem (which is confirmed bu reconfiguring the supplicant). Is there a client tool to check which certificate is used by FR ? wireshark might do it. You're right, I'll do this. Have I missed something in the setup ? Did you test each piece in isolation before putting it all together? No because I'm working on my production radius server and I didn't want to break my old SSID (which I unintentionally did anyway for 5 minutes). I'll make more tests and will triple check my setup now I know that it's possible. Many thanks again for your answer. Regards, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Multiple EAP-TLS modules with different certificates
Hi,
I'm about to change the CA of my radius server certificate. At the same
time I've installed a new wifi network and plan to change the SSID as
well (authentication is EAP-TTLS or EAP-PEAP).
In order to avoid a complete breakout when I change the certificate of
my radius server (because a manual operation is required on the
supplicant side to select the new CA), I'd like to configure FR so that:
* when the WiFi client connects to the SSID1, the server uses the old
certificate and key,
* and when the client uses the SSID2, the radius server uses the new
certificate and key
Is this possible ?
I've already tried such a configuration by:
* defining 2 eap modules let's say eapOld and eapNew (each with its
own key and cert)
* making sure that depending on the SSID, the access-point sets a
different NAS-Identifier (let's say ID1 and ID2) in the Access-request
* in the virtual FR server, I've used unlang to run either eap module:
in authorize:
if (%{request:NAS-Identifier} == ID1) {
eapOld {
ok = return
}
if (%{request:NAS-Identifier} == ID2) {
eapNew {
ok = return
}
in authenticate:
Auth-Type eapNew {
eapNew
}
Auth-Type eapOld {
eapOld
}
in eap.conf: the two eap modules only differ from their certificate/key,
they redirect to the same inner-tunnel virtual server.
The result so far is that with such setup my wireless clients can't
connect at all when they check the certificate, but can connect when
they don't (no matter what setup is done on the client side). Of course
I've installed the 2 certificates on the client to check this.
A quick look at FR debug logs confirms, as far as I can read them, that
the client is refusing the radius server certificate.
Is there a client tool to check which certificate is used by FR ?
Have I missed something in the setup ?
I've tried to turn on Windows EAP log, but they aren't very easy to read
as far as TLS/TTLS/PEAP authentication is concerned !
Environement: FR is 2.1.1, client used Windows XP SP3 and Windows 7.
Thanks a lot for your ideas, proposals, ...
Best regards,
Thibault
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple EAP-TLS modules with different certificates
Thibault Le Meur wrote: In order to avoid a complete breakout when I change the certificate of my radius server (because a manual operation is required on the supplicant side to select the new CA), I'd like to configure FR so that: * when the WiFi client connects to the SSID1, the server uses the old certificate and key, * and when the client uses the SSID2, the radius server uses the new certificate and key Is this possible ? Yes. Others use multiple certs multiple EAP modules. The result so far is that with such setup my wireless clients can't connect at all when they check the certificate, but can connect when they don't (no matter what setup is done on the client side). Of course I've installed the 2 certificates on the client to check this. A quick look at FR debug logs confirms, as far as I can read them, that the client is refusing the radius server certificate. I don't think that's in the debug log. Is there a client tool to check which certificate is used by FR ? wireshark might do it. Have I missed something in the setup ? Did you test each piece in isolation before putting it all together? I've tried to turn on Windows EAP log, but they aren't very easy to read as far as TLS/TTLS/PEAP authentication is concerned ! They're horrible... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
