Hello!
I have been using Windows 7, Freeradius 2.1.10 from Debian Squeeze, HP
MSM710 WLAN controller and EAP_TLS Computer Certificate Authentication
for a log time and worked perfect. I used Certificates created on the
Debian server by openssl including the extensions for Client
Authentication and Server Authentication.
Now we want to activate port security on our physical switches and use
the same radius server, so we installed a Windows Enterprise Root CA for
autoenrollment of the Client and server certificates. I also created an
RAS IAS Certificate for the Radius Server and installed them, they are
loaded without any problems, but authentication of the Windows 7 client
do not work anymore.
I searched the internet for a compareable setup but i cannot find any
hints for using Microsoft Enterprise CA with freeradius server, may
everywhere else it works like a charm :) , but cannot believe it!
So my first question, does someone use Microsoft Enterprise CA
Certificates with freeradius in a working environment, and o i have to
regard something special?
Running "freeradius -X" gives me the following errors:
...
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
TLS Length 95
[tls] Length Included
[tls] eaptls_verify returned 11
[tls] (other): before/accept initialization
[tls] TLS_accept: before/accept initialization
[tls] <<< TLS 1.0 Handshake [length 005a], ClientHello
[tls] TLS_accept: SSLv3 read client hello A
[tls] >>> TLS 1.0 Handshake [length 0031], ServerHello
[tls] TLS_accept: SSLv3 write server hello A
[tls] >>> TLS 1.0 Handshake [length 08d7], Certificate
[tls] TLS_accept: SSLv3 write certificate A
[tls] >>> TLS 1.0 Handshake [length 0062], CertificateRequest
[tls] TLS_accept: SSLv3 write certificate request A
[tls] TLS_accept: SSLv3 flush data
[tls] TLS_accept: Need to read more data: SSLv3 read client
certificate A
In SSL Handshake Phase
In SSL Accept mode
[tls] eaptls_process returned 13
++[eap] returns handled
...
I updated to Debian wheezy to get a newer freeradius version, but
nothing changed.
The Radius Server Certificate include the following Attribute (output of
"openssl x509 -text -in <cert> -noout"):
X509v3 extensions:
X509v3 Key Usage:
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client
Authentication
X509v3 Subject Key Identifier:
1D:22:6F:1B:8B:F9:DE:C7:D2:FC:8A:17:97:87:EA:8B:D0:0D:27:31
X509v3 Authority Key Identifier:
keyid:0F:BB:BB:14:63:C3:07:52:CE:D9:74:94:6A:83:83:45:A4:94:2A:5B
Authority Information Access:
CA Issuers -
URI:ldap:///CN=xxx%20Certificate%20Services%20A,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=xxx,DC=xx?cACertificate?base?objectClass=certificationAuthority
1.3.6.1.4.1.311.21.7:
0..&+.....7.....c..;.......^...S.*..........d...
1.3.6.1.4.1.311.21.10:
0.0
..+.......0
..+.......
The Client Certificates include the following Attributes:
Key usage: Digital Signature, Key Encipherment (a0)
Enhanded Key Usage: Client Authentication (1.3.6.1.5.5.7.3.2)
The client attributes also include
- Authority Information Access
- CRL Distribution Points
- Certificate Template Information
which have very long values with special caracters like _%/=:?, may this
be a problem?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
