Re: PEAP using different CA?
Hi Fernando 2013/7/10 Fernando Hammerli > Got it now, as you said. > > Using the public CA certs on certificate_file (and related private key), > and included the public CA > chain on the CA_file (together with my own CA). > Yep mostly except that I put the private key not inside certificate_file but seperately into private_key_file (although the config says that you can put in the same file. > > Still needs more testing (in more enviroments), but seems to be working. > Make sure to test with a variety of Devices/OS. Windows (as it has shown to me and as the wiki says) is very picky while Android I've seen simply ignore server certificate data and continue. Make sure to not put a CA cert bundle from your CA + your cert inside certificate_file but only those certs used in the chain of trust so you don't get over 64k (see http://wiki.freeradius.org/guide/Certificate%20Compatibility) -- Mathieu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP using different CA?
Got it now, as you said. Using the public CA certs on certificate_file (and related private key), and included the public CA chain on the CA_file (together with my own CA). Still needs more testing (in more enviroments), but seems to be working. Thanks! > > Check the difference of CA_file (containing root CA cert of your > internal CA), but set server cert > (including cert chain) inside certificate_file. > > (http://lists.freeradius.org/pipermail/freeradius-users/2013-April/065990.html) > > Regards, > Mathieu > > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP using different CA?
Hi Mathieu, thanks for your reply. It´s not clear to me what exactly has to be done. So, I´ll place both server certificates inside the certificate_file, correct? Do I declare it only under the 'tls' section (not on the peap)? How does FR knows which certificate for each method? How do I declare both private keys? Sorry for my stupid questions. Thanks, Fernando. Em 10/07/2013 10:44, Mathieu Simon escreveu: > Hi > > As a possible hint since your question sounds similar to an issue I had: > > I was looking to provide a server-side certificate to my clients from > a public CA > but only allow clients to authenticate via EAP-TLS when presenting a > cert from our > internal CA which avoids the misconfiguration to trust any certificate > issued by the public CA. > > Check the difference of CA_file (containing root CA cert of your > internal CA), but set server cert > (including cert chain) inside certificate_file. > > (http://lists.freeradius.org/pipermail/freeradius-users/2013-April/065990.html) > > Regards, > Mathieu > > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP using different CA?
User a deployment tool as then things like CN checks are done alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP using different CA?
Hi, thanks for you reply (extensive to the others), > Just put both CAs in the directory pointed to by CA_path. Curently my CA_path is where my users certificates are stored. I thought I had to offer a different server certificate to the user. I was able to make it work (PEAP only, not the TLS) by pointing to that certificate via 'certificate_file =' and the public CA chain via 'CA_file ='. Could you give me a hint about you tip, that seems to be easier. I agree 100% about the security concerns on using a public CA. The problem is that we need to make the usage process as simple as possible. Students and teachers are easier to help, but we have seasonal/sporadic users (short curses, seminars), and requiring any intervention has been creating complaints (and is considered annoying). Even a simple root CA installation procedure (for Windows only clients) is considered annoying. So that´s why are considering the public CA - Microsoft could have done things easier for us :) Thanks! Fernando. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP using different CA?
Hello, >>> To avoid the need of installing our CA certificate on every Windows >>> machine, we´ll buy the server certificate from a public CA. Having the CA cert installed only does half of the job; for EAP configuration purposes, the CA must explicitly marked as trusted /for this EAP identity/. So you still need to tell users to set a checkbox besides that CA. The difference to importing the CA before that is not much more work; on Windows, it's a couple of clicks only. > If this is a usability issue, I recommend you look at dissolvable setup > clients like cloudpath, or investigate the various certificate/settings > bundles that things like iPhones support. And since he is from a university and likely his deployment is an eduroam one, you should also mention the dissolvable client setup tool "eduroam CAT", https://cat.eduroam.org , which is free and tailored to eduroam. It will install private CAs just as fine and automated as it does commercial CAs. Greetings, Stefan Winter > > Arran Cudbard-Bell > FreeRADIUS Development Team > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP using different CA?
Hi As a possible hint since your question sounds similar to an issue I had: I was looking to provide a server-side certificate to my clients from a public CA but only allow clients to authenticate via EAP-TLS when presenting a cert from our internal CA which avoids the misconfiguration to trust any certificate issued by the public CA. Check the difference of CA_file (containing root CA cert of your internal CA), but set server cert (including cert chain) inside certificate_file. ( http://lists.freeradius.org/pipermail/freeradius-users/2013-April/065990.html ) Regards, Mathieu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP using different CA?
Hi, > Currently we have 1000´s of users self-signed certificates (EAP-TLS), > and we´re planning to move our main authentication method to PEAP, but > keeping the certificates in use while valid. > > To avoid the need of installing our CA certificate on every Windows > machine, we´ll buy the server certificate from a public CA. > Can Freeradius allow me to have both methods at the same time, ie, the > PEAP with the public CA and certificate users with our 'self-signed' CA? easy /easier with FreeRADIUS 3 as you can define different TLS parameters for each EAP IIRC :-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP using different CA?
On 10 Jul 2013, at 13:38, Alan DeKok wrote: > Fernando Hammerli wrote: >> To avoid the need of installing our CA certificate on every Windows >> machine, we´ll buy the server certificate from a public CA. >> Can Freeradius allow me to have both methods at the same time, ie, the >> PEAP with the public CA and certificate users with our 'self-signed' CA? > > Just put both CAs in the directory pointed to by CA_path. > > And using a public CA is usually not a good idea. It means that your > users will trust *any* certificate signed by that CA, not just your > certificate. Well that's not strictly true. Most supplicants support specifying the CN of the certificate presented, but yes, it's still better to use your own CA and deploy it as part of enrolment. There is absolutely no security advantage to using a commercial CA, and several disadvantages. If this is a usability issue, I recommend you look at dissolvable setup clients like cloudpath, or investigate the various certificate/settings bundles that things like iPhones support. Arran Cudbard-Bell FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP using different CA?
Fernando Hammerli wrote: > To avoid the need of installing our CA certificate on every Windows > machine, we´ll buy the server certificate from a public CA. > Can Freeradius allow me to have both methods at the same time, ie, the > PEAP with the public CA and certificate users with our 'self-signed' CA? Just put both CAs in the directory pointed to by CA_path. And using a public CA is usually not a good idea. It means that your users will trust *any* certificate signed by that CA, not just your certificate. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP using different CA?
Hi, Currently we have 1000´s of users self-signed certificates (EAP-TLS), and we´re planning to move our main authentication method to PEAP, but keeping the certificates in use while valid. To avoid the need of installing our CA certificate on every Windows machine, we´ll buy the server certificate from a public CA. Can Freeradius allow me to have both methods at the same time, ie, the PEAP with the public CA and certificate users with our 'self-signed' CA? Thanks in advance, Fernando Hämmerli Pontifícia Universidade Católica do Rio de Janeiro - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
