[RADIATOR] Wireless client verification of Radiator's SSL cert EAP/PEAP
Hi, I've been searching around the list and the Internet trying to figure out how a wireless client can verify the hostname of the SSL cert provided by Radiator through the NAS as an SMTP or HTTP client would, but I can't seem to find anything insightful. I'm not concerned with how the client uses the SSL chain and its included CAs to verify the cert cryptographically. For one, the client doesn't have Internet to make a reverse lookup until they accept the cert. Second, even if they were allowed DNS before authentication, someone controlling the network could easily catch and spoof the reverse lookup reply to make their cert look legitimate (assuming it was cryptographically legitimate). I'm doing some development/testing and I notice that iOS and Windows 8 seem to see my certificate as valid but not "verified". I setup a PTR record to match my host and cert name but it didn't seem to make any difference. I monitored tcpdump while authenticating from OS X and I see no PTR requests I realize each client can have a different implementation. Is it even possible to legitimately verify a certificate hostname for clients using PEAP and EAP? I'd like to be as secure as possible without resorting to client-side certificates. Thanks, Michael -- Michael Rodrigues Technical Support Services Manager Gevirtz Graduate School of Education Education Building 4203 (805) 893-8031 h...@education.ucsb.edu ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Radiator / Radmin - EAP TLS certificates on Android phone
Hi Heikki, The same test repeated with Second Phase as none and the same problem. As you have said, this should have nothing to do with EAP TLS. I have repeated the test on an iphone with IOS7 configuring a TLS profile with the CA in der format. The same problem. The log is also in https://gist.github.com/ifdm001/57c03984282f33406aec Thanks for the contribution, Imanol On Wed, Jun 18, 2014 at 10:05 PM, Heikki Vatiainen wrote: > On 06/18/2014 02:04 PM, Imanol Fuidio wrote: > > > The WiFi configuration is: EAP method TLS, Phase 2 PAP, User > > certificate, Identiy user > > Phase 2 PAP looks odd. This would make sense with EAP-TTLS, but I am not > sure what it could mean with EAP-TLS. > > > Wed Jun 18 11:49:35 2014: ERR: EAP TLS error: -1, 1, 8592, 0, 22411: 1 > > - error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number > > Can you try with other settings for Phase 2, such as none, off or > something else to turn off any Phase 2 authentication off. I'd say the > above message might come from something that the client adds and appears > as bad TLS record to the server. > > Thanks, > Heikki > > -- > Heikki Vatiainen > > Radiator: the most portable, flexible and configurable RADIUS server > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, > Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, > TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, > DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, > NetWare etc. > -- Imanol Fuidio Díaz-Maroto Fon Labs R&D engineerimanol.fui...@fon.com skype: imanol.fon ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Radiator / Radmin - EAP TLS certificates on Android phone
On 06/18/2014 02:04 PM, Imanol Fuidio wrote: > The WiFi configuration is: EAP method TLS, Phase 2 PAP, User > certificate, Identiy user Phase 2 PAP looks odd. This would make sense with EAP-TTLS, but I am not sure what it could mean with EAP-TLS. > Wed Jun 18 11:49:35 2014: ERR: EAP TLS error: -1, 1, 8592, 0, 22411: 1 > - error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number Can you try with other settings for Phase 2, such as none, off or something else to turn off any Phase 2 authentication off. I'd say the above message might come from something that the client adds and appears as bad TLS record to the server. Thanks, Heikki -- Heikki Vatiainen Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] Radiator / Radmin - EAP TLS certificates on Android phone
Hi everyone, In the company we have performed some tests on EAP TLS. We are using Radiator-4.13 with the goodie eap_tls.cfg. We have created self-signed certificates through the script: script.sh (You can find the script, as well as the certificates in https://gist.github.com/ifdm001/57c03984282f33406aec ) During the tests, we have installed the cert-clt.p12 cert file on a Galaxy S3 with Android 4.1.2 We have also installed the CA file cacert.pem. The WiFi configuration is: EAP method TLS, Phase 2 PAP, User certificate, Identiy user We also have added the identity user to the file database. When we have not configured the CA file in the WiFi configuration profile, everything works. It is strange there is no message from Android saying that the server certificate will be not verified, also there is no checklist option to validate this ( as there is in microsoft, see. https://support.microsoft.com/kb/814394). When we configure the CA file in the WiFi configuration profile on the Android phone, we found the following error in Radiator: Wed Jun 18 11:49:35 2014: DEBUG: Handling request with Handler 'Realm=DEFAULT', Identifier '' Wed Jun 18 11:49:35 2014: DEBUG: Deleting session for user, 10.1.0.9, Wed Jun 18 11:49:35 2014: DEBUG: Handling with Radius::AuthFILE: Wed Jun 18 11:49:35 2014: DEBUG: Handling with EAP: code 2, 255, 200, 13 Wed Jun 18 11:49:35 2014: DEBUG: Response type 13 Wed Jun 18 11:49:35 2014: DEBUG: Certificate Subject Name is /C=ES/ST=Biscay/L=Getxo/O=Fon/OU=Fon Labs/CN=user Wed Jun 18 11:49:35 2014: DEBUG: Matched certificate CN user with User-Name user or identity user Wed Jun 18 11:49:35 2014: DEBUG: Reading users file ./users Wed Jun 18 11:49:35 2014: DEBUG: Radius::AuthFILE looks for match with user [user] Wed Jun 18 11:49:35 2014: DEBUG: Radius::AuthFILE ACCEPT: : user [user] Wed Jun 18 11:49:35 2014: ERR: EAP TLS error: -1, 1, 8592, 0, 22411: 1 - error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number Wed Jun 18 11:49:35 2014: DEBUG: EAP Failure, elapsed time 0.179251 Wed Jun 18 11:49:35 2014: DEBUG: EAP result: 1, EAP TLS error Wed Jun 18 11:49:35 2014: DEBUG: AuthBy FILE result: REJECT, EAP TLS error Wed Jun 18 11:49:35 2014: INFO: Access rejected for user: EAP TLS error Wed Jun 18 11:49:35 2014: DEBUG: Packet dump: *** Sending to 10.1.0.9 port 54719 Code: Access-Reject Identifier: 189 Authentic: <194><153>-<204><200><12><189><176>&<168><196><24><180><148><210>i Attributes: EAP-Message = <4><255><0><4> Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0> Reply-Message = "Request Denied" The full log is in the file eap_tls.log file, also in https://gist.github.com/ifdm001/57c03984282f33406aec Any help with this problem, we will be grateful. Thanks, Imanol -- Imanol Fuidio Díaz-Maroto Fon Labs R&D engineerimanol.fui...@fon.com skype: imanol.fon ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator