Re: Certificate-based client side authentication towards a website with freeradius
Martin, You are correct that you need modified TLS library, EAP module and GUI for configuration EAP parameters integrated with each client. It is quite feasible with Firefox. The modified library, EAP module (library) can be made as patch to Firefox and Microsoft IE is another story. Thanks, Jay On Thu, Jul 9, 2009 at 2:56 AM, Martin Schneider wrote: > Helllo Jay > >> The Internet Draft address what you described in web client/Apache >> server and mail client and mail server applications. The TLS-EAp >> extension is leveraging existing user credential and profile in AAA >> server. In addition, you have flexibility to choose different >> authentication method using EAP. You can use token based >> authentication or client Certificate based authentication. > > What I still do not understand completely is the Client side > integration into existing software, e.g. Firefox which has its own TLS > implementation. So, theoretically you need to modify the TLS > implementation of each Client program that it can handle the > InterimAuth Message and forward the following EAPMessages to the > EAP-Infrastructure. > >> What kind of mail client/mail server and web client/web server are you using? > > Well I think we'll use Firefox / Apache2. > > Best Regards > Martin > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Certificate-based client side authentication towards a website with freeradius
Helllo Jay > The Internet Draft address what you described in web client/Apache > server and mail client and mail server applications. The TLS-EAp > extension is leveraging existing user credential and profile in AAA > server. In addition, you have flexibility to choose different > authentication method using EAP. You can use token based > authentication or client Certificate based authentication. What I still do not understand completely is the Client side integration into existing software, e.g. Firefox which has its own TLS implementation. So, theoretically you need to modify the TLS implementation of each Client program that it can handle the InterimAuth Message and forward the following EAPMessages to the EAP-Infrastructure. > What kind of mail client/mail server and web client/web server are you using? Well I think we'll use Firefox / Apache2. Best Regards Martin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Certificate-based client side authentication towards a website with freeradius
Martin, The Internet Draft address what you described in web client/Apache server and mail client and mail server applications. The TLS-EAp extension is leveraging existing user credential and profile in AAA server. In addition, you have flexibility to choose different authentication method using EAP. You can use token based authentication or client Certificate based authentication. What kind of mail client/mail server and web client/web server are you using? I am recruiting more volunteers for the project and I will keep you posted of my progress. Thanks, jay On Thu, Jul 2, 2009 at 3:16 AM, Martin Schneider wrote: > Hello Jay > >> If you want to leverage the existing user profiles in the RADIUS >> server for authentication, authorization, this Internet Draft TLS-EAP >> Extension http://tools.ietf.org/html/draft-nir-tls-eap-06 might be >> what you are looking for. Unfortunately, there is no implementation up >> to date as far as I know. >> >> I am designing and developing the software for this Internet draft >> based on OpenSSL, EAP module from wpa-supplicant and freeradius >> client. Please let me know any special requirements if you are >> interested in using TLS-EAP Extension. > > I read the draft you mentioned above and I'm not 100% sure if I > understood it correctly. > > So basically spoken the authentication/authorization becomes more of > less independant from the application using this software/draft. > There's an authentication/authorization infrastructure besides client > and service that is generic and can be used for *different* services. > So, e.g. I can use it for authentication/authorization for a > webbrowser towards apache, for a mailclient towards the mailservice > etc. > > If it is like that, this sounds pretty amazing and would give us > exactely what we need. > > Best regards! > M > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Certificate-based client side authentication towards a website with freeradius
Hello Jay > If you want to leverage the existing user profiles in the RADIUS > server for authentication, authorization, this Internet Draft TLS-EAP > Extension http://tools.ietf.org/html/draft-nir-tls-eap-06 might be > what you are looking for. Unfortunately, there is no implementation up > to date as far as I know. > > I am designing and developing the software for this Internet draft > based on OpenSSL, EAP module from wpa-supplicant and freeradius > client. Please let me know any special requirements if you are > interested in using TLS-EAP Extension. I read the draft you mentioned above and I'm not 100% sure if I understood it correctly. So basically spoken the authentication/authorization becomes more of less independant from the application using this software/draft. There's an authentication/authorization infrastructure besides client and service that is generic and can be used for *different* services. So, e.g. I can use it for authentication/authorization for a webbrowser towards apache, for a mailclient towards the mailservice etc. If it is like that, this sounds pretty amazing and would give us exactely what we need. Best regards! M - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Certificate-based client side authentication towards a website with freeradius
Martin, If you want to leverage the existing user profiles in the RADIUS server for authentication, authorization, this Internet Draft TLS-EAP Extension http://tools.ietf.org/html/draft-nir-tls-eap-06 might be what you are looking for. Unfortunately, there is no implementation up to date as far as I know. I am designing and developing the software for this Internet draft based on OpenSSL, EAP module from wpa-supplicant and freeradius client. Please let me know any special requirements if you are interested in using TLS-EAP Extension. Thanks, jay On Wed, Jul 1, 2009 at 2:14 PM, Alan DeKok wrote: > Martin Schneider wrote: >> We need also authorization. So we want to >> >> 1.) check if the certificate is signed by a "trusted ca" > > That is done by the normal certificate validation process. > >> 2.) check if the username x in the certificate is "known" > > What does that mean? If the CA signed the certificate, then the > usename is known. Why would the CA sign a certificate for an unknown user? > >> 3.) check if the user with name x is authorized to access the service. > > That can be done with RADIUS. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Certificate-based client side authentication towards a website with freeradius
Martin Schneider wrote: > We need also authorization. So we want to > > 1.) check if the certificate is signed by a "trusted ca" That is done by the normal certificate validation process. > 2.) check if the username x in the certificate is "known" What does that mean? If the CA signed the certificate, then the usename is known. Why would the CA sign a certificate for an unknown user? > 3.) check if the user with name x is authorized to access the service. That can be done with RADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Certificate-based client side authentication towards a website with freeradius
I think I need to clarify my question a little: >> we're trying to setup a freeradius / apache installation that allows >> us to authenticate and authorize users with *certificates* towards a >> website. We want to have *multiple* services, not only just one service. If we would only have one service, we could of cause use certificate revocation lists, as Ivan Kalik suggested in a mail to me. So, we first want to authenticate the user and later authorize him for finding out, if she has the rights to access the desired service. Best regards, M. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Certificate-based client side authentication towards a website with freeradius
Hi Ivan > Why use radius to check certificates when Apache can do it? > > http://httpd.apache.org/docs/2.0/ssl/ssl_howto.html Thanks for this reply. We need also authorization. So we want to 1.) check if the certificate is signed by a "trusted ca" 2.) check if the username x in the certificate is "known" 3.) check if the user with name x is authorized to access the service. For (2 and) 3 I thought we'd need radius. The authorization could be stored in a database that can be easily modified. Best regards, M. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Certificate-based client side authentication towards a website with freeradius
> we're trying to setup a freeradius / apache installation that allows > us to authenticate and authorize users with *certificates* towards a > website. > > Is there a good tutorial out there somewhere? We did only finde > partial information that seems to be quite old unfortunately. Or could > somebody who is deep into this matter please give some advice or ideas > how we can solve our task? Why use radius to check certificates when Apache can do it? http://httpd.apache.org/docs/2.0/ssl/ssl_howto.html Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html