Re: user(name) and EAP-TLS
Am 06.08.2012 09:39, schrieb Alan DeKok: Klaus Klein wrote: Am 04.08.2012 18:51, schrieb Alan DeKok: I'm stating my opinion outright. If you think I'm implying something, you're misreading it. Now that's a nice twist. I guess this is the sentence which offended you: The final (first) productive installation should protect the access to my private WLAN with 3+ APs and 10+ clients. I don't know how, but obviously you misread that as: The fact is that you said FreeRADIUS doesn't protect access, simply because you didn't understand how it works. It's simply not true that I said or wrote anything like that! You are just implying that into my statement, just read it again! If you think different than just show me were I wrote that. FreeRADIUS to me is (as far as I can judge) a great piece of software which capabilities to 'protect access' is heavily dependent on the implementation and configuration within the installation. And yes. it is my goal that FreeRADIUS _should_ protect the access to my network knowing that I'm the weakest link in this chain. To tackle this, I joint this list. This isn't about me. It was you who accused me to imply, blame, misread and insult. Implying that FreeRADIUS doesn't protect access is rude. You only have yourself to blame. ... you're misreading it. you argue, and start insulting us. I've had similar conversations with dozens of people over the last 13+ years. Stating my opinion: With that experience I would have expected some more seniority and not being offended by the word 'should'. I call that 'jumping the gun'. It's apparently OK to offend other people, Never is, never was. but it's wrong for me to point out offensive comments. You have all the rights to point out offensive comments _IF_ the are offensive. I've had enough of that nonsense. As list admin, I won't put up with it. Stop it, or you will be unsubscribed and banned. Does this mean (a) you'll behave, or (b) you won't behave? If that is how you want to be seen on this list, its up to you. Just my 2ct and my last comment on this incident. Klaus - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: user(name) and EAP-TLS
Klaus Klein wrote: With that experience I would have expected some more seniority and not being offended by the word 'should'. It seems you misunderstood me. That's not a surprise. My 13+ years of experience show that certain statements are made ONLY by people who are trying to be offensive. I respond to those statements with a warning: behave, or get banned. If that is how you want to be seen on this list, its up to you. Again, you misunderstand me entirely. My role on this list is to moderate offensive behavior. I also moderate people who waste everyone's time. The recent policy has been to warn people. If their behavior continues, they get banned. That is EXPLICITLY my position. I'm trying to make you understand that, and clearly failing. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: user(name) and EAP-TLS
Klaus Klein wrote: Am 04.08.2012 18:51, schrieb Alan DeKok: Implying that FreeRADIUS doesn't protect access is rude. Don't you think you're jumping the gun a bit? No. Where did you get this from, why are you implying something like this and how rude is that? I'm stating my opinion outright. If you think I'm implying something, you're misreading it. Furthermore, I don't think I insulted anyone, but it seems that this doesn't stop you feeling like that. Sorry if it hurts your feelings but I think you really need to loosen up a bit. This isn't about me. I'll be here long after you're gone. I've had similar conversations with dozens of people over the last 13+ years. It's apparently OK to offend other people, but it's wrong for me to point out offensive comments. I've had enough of that nonsense. As list admin, I won't put up with it. I can see that you didn't intend to insult anyone, and that's your opinion. The fact is that you said FreeRADIUS doesn't protect access, simply because you didn't understand how it works. Stop it, or you will be unsubscribed and banned. I'm really to old for that kind of threats. Does this mean (a) you'll behave, or (b) you won't behave? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: user(name) and EAP-TLS
*sigh* Don't use this configuration with wired 802.1X. As the user's identity is not protected within the tunnel, someone sitting between your machine and the switch could easily switch out identities at the start of 802.1X auth, and use it of a way of performing privilege escalation. Hm, you should probably verify that the certificate is associated with the username provided. SQL/LDAP xlat would probably do the job. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: user(name) and EAP-TLS
Am 05.08.2012 10:28, schrieb Arran Cudbard-Bell: Don't use this configuration with wired 802.1X. As the user's identity is not protected within the tunnel, someone sitting between your machine and the switch could easily switch out identities at the start of 802.1X auth, and use it of a way of performing privilege escalation. Not to forget that the administration of the client might not be under control of the FreeRADIUS administration. One wouldn't need a 'man in the middel' if the owner/user/admin of the client machine can edit the configuration to her/his likings. Hm, you should probably verify that the certificate is associated with the username provided. Yupp, check_cert_cn in eap.conf is (at least for me) the way to go. That's what Alan also acknowledged a few emails ago. SQL/LDAP xlat would probably do the job. I'm not there yet. But I'll have a look at this when I start playing with SQL and LDAP. Cheers, Klaus - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: user(name) and EAP-TLS
Am 04.08.2012 03:15, schrieb Alan DeKok: Klaus Klein wrote: Which uses certificates for authentication. Correct. Thanks for the vote of confidence. You're welcome. :) The point of my comment was that it DOESNT use names passwords for authentication. I did understand this part. Nevertheless, if I follow the documentation provided with freeradius (e.g. aaa.rst.gz) then authorization comes before authentication. Also ... an authorization module searches a database ... (/etc/freeradius/users ?) --- if none of database records for this User-Name matches ... authorization will fail. Therefore I'm a bit puzzled that if no matching entry in users is found that the authentication still takes place. I think in that case the behavior contradicts the 'Request Processing' described in aaa.rst.gz Klaus - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: user(name) and EAP-TLS
On Sat, Aug 04, 2012 at 11:10:38AM +0200, Klaus Klein wrote: Therefore I'm a bit puzzled that if no matching entry in users is found that the authentication still takes place. Try one of: a) move files above eap in sites-enabled/default. This will mean that the eap short-circuit won't skip files. It will also mean that you hit files a lot more than before, which will have a performance impact (the scale of which depends on the number of auths, of course). b) use 3.0, and set a virtual_server for tls. You can then run files in that, and check attributes before accepting or otherwise. c) backport the tls virtual server patch to 2.x - it's pretty simple. Cheers Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: user(name) and EAP-TLS
On 4 Aug 2012, at 11:57, Matthew Newton m...@leicester.ac.uk wrote:
On Sat, Aug 04, 2012 at 11:10:38AM +0200, Klaus Klein wrote:
Therefore I'm a bit puzzled that if no matching entry in users
is found that the authentication still takes place.
authorize {
files
if (notfound || noop) {
reject
}
}
??
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: user(name) and EAP-TLS
Am 04.08.2012 12:57, schrieb Matthew Newton: On Sat, Aug 04, 2012 at 11:10:38AM +0200, Klaus Klein wrote: Therefore I'm a bit puzzled that if no matching entry in users is found that the authentication still takes place. Try one of: a) move files above eap in sites-enabled/default. This will mean that the eap short-circuit won't skip files. It will also mean that you hit files a lot more than before, which will have a performance impact (the scale of which depends on the number of auths, of course). b) use 3.0, and set a virtual_server for tls. You can then run files in that, and check attributes before accepting or otherwise. c) backport the tls virtual server patch to 2.x - it's pretty simple. Thanks for your suggestions. I guess I'll try them in the order a, c, b. But maybe I should have been a bit more precise in my first email. The final (first) productive installation should protect the access to my private WLAN with 3+ APs and 10+ clients. So the performance impact in suggestion a) will be limited. ;-) Currently I have set up a test environment to try and learn and, as a side effect to a more secure WLAN, a more detailed understanding of how (free)RADIUS works. Cheers, Klaus - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: user(name) and EAP-TLS
Sorry, I just reread your email. Am 04.08.2012 12:57, schrieb Matthew Newton: a) move files above eap in sites-enabled/default. This will mean that the eap short-circuit won't skip files. I don't think that files is skipped after EAP-TLS authorization. If the User-Name, which is provided through the identifier setting in wpa_supplicant, exists in users then, even after EAP-TLS authorization, the according check attributes (e.g. Login-Time) are compared and the reply attributes (e.g. Session-Timeout) are added into the reply item list. It will also mean that you hit files a lot more than before, which will have a performance impact (the scale of which depends on the number of auths, of course). If my observation is right then files is hit for every authorization and modifying the sequence will therefore not change the impact on files. Cheers, Klaus - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: user(name) and EAP-TLS
Am 04.08.2012 16:01, schrieb Arran Cudbard-Bell:
On Sat, Aug 04, 2012 at 11:10:38AM +0200, Klaus Klein wrote:
Therefore I'm a bit puzzled that if no matching entry in users
is found that the authentication still takes place.
authorize {
files
if (notfound || noop) {
reject
}
}
Thank you, works!!
Maybe one day I'll understand what it does, how it does it and if there are
implications to/from other Autz-Modules.
Cheers,
Klaus
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: user(name) and EAP-TLS
Klaus Klein wrote: Also ... an authorization module searches a database ... (/etc/freeradius/users ?) --- if none of database records for this User-Name matches ... authorization will fail. Therefore I'm a bit puzzled that if no matching entry in users is found that the authentication still takes place. Because if you read the raddb/sites-available/default, the eap module is run during authorization. I think in that case the behavior contradicts the 'Request Processing' described in aaa.rst.gz No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: user(name) and EAP-TLS
Klaus Klein wrote: But maybe I should have been a bit more precise in my first email. The final (first) productive installation should protect the access to my private WLAN with 3+ APs and 10+ clients. Implying that FreeRADIUS doesn't protect access is rude. You were the one who set up EAP-TLS. EAP-TLS means allow anyone who has a signed client cert. You signed a client cert, and gave it to a client. You were told this is how EAP-TLS works. You only have yourself to blame. I already explained how the server worked. Rather than believe it, you argue, and start insulting us. Stop it, or you will be unsubscribed and banned. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: user(name) and EAP-TLS
Am 04.08.2012 18:51, schrieb Alan DeKok: Klaus Klein wrote: But maybe I should have been a bit more precise in my first email. The final (first) productive installation should protect the access to my private WLAN with 3+ APs and 10+ clients. Implying that FreeRADIUS doesn't protect access is rude. Don't you think you're jumping the gun a bit? Where did you get this from, why are you implying something like this and how rude is that? The sentences you quoted were written in reference to Matthew's suggestion a) and the impact on the performance. I don't think that 'hitting' files in an environment with 10+ clients and 3+ APs will really have an impact on the performance. Besides, as I wrote in a later email, I think that the suggested modification will not really make a difference as is seems that files is allready processed with every authorization/authentication. If you read beyond the quoted sentences you'll see that I currently work on a testbed and that I want to learn more about FreeRADIUS. One of my final goals is to implement with FreeRADIUS a better and more flexible security than what, to my understanding, WPA-PSK could offer. Why would I do this if I would believe that FreeRADIUS isn't protecting access ? You were the one who set up EAP-TLS. EAP-TLS means allow anyone who has a signed client cert. You signed a client cert, and gave it to a client. You were told this is how EAP-TLS works. I think I have a fair understanding how EAP-TLS works but apparently FreeRADIUS in combination with EAP-TLS is capable of and doing more than just that. I already explained how the server worked. Darn, I must have missed quite some part of an email. ;-) Rather than believe it, you argue, and start insulting us. I didn't argue, I just stated facts. Furthermore, I don't think I insulted anyone, but it seems that this doesn't stop you feeling like that. Sorry if it hurts your feelings but I think you really need to loosen up a bit. Stop it, or you will be unsubscribed and banned. I'm really to old for that kind of threats. Cheers, Klaus - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: user(name) and EAP-TLS
Klaus Klein wrote: I'm working on securing the access to a WLAN network with WPA2-Enterprise, EAP-TLS and a FreeRADIUS server. Which uses certificates for authentication. Everything seemed to work as expected until realized that a client will be authenticated (by eap) even if the user(name), provided with the mandatory identifier entry in wpa_supplicant.conf, doesn't exist in the users file. That's how EAP-TLS works. To verify this I used the unedited 'default' users file provided with the FreeRADIUS package and the user/name 'FooBar'. Is that meant to be like this or do I miss something? That's how EAP-TLS works. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: user(name) and EAP-TLS
Am 03.08.2012 22:06, schrieb Alan DeKok: Klaus Klein wrote: I'm working on securing the access to a WLAN network with WPA2-Enterprise, EAP-TLS and a FreeRADIUS server. Which uses certificates for authentication. Correct. Everything seemed to work as expected until realized that a client will be authenticated (by eap) even if the user(name), provided with the mandatory identifier entry in wpa_supplicant.conf, doesn't exist in the users file. That's how EAP-TLS works. Is it then correct that the 'check_cert_cn' option in eap.conf is the only way to prevent anyone on the client side to tamper with the identity entry, and thereby avoiding restrictions (e.g. Login-Time) for that client? Or is ther a other/better way to tie any setting to a EAP-TLS authenticated client? Cheers, Klaus - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: user(name) and EAP-TLS
Klaus Klein wrote: Which uses certificates for authentication. Correct. Thanks for the vote of confidence. The point of my comment was that it DOESNT use names passwords for authentication. Is it then correct that the 'check_cert_cn' option in eap.conf is the only way to prevent anyone on the client side to tamper with the identity entry, and thereby avoiding restrictions (e.g. Login-Time) for that client? That's what check_cert_cn is for. This is documented. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
