Freeradius + EAP Certificates
-
Great!
I will give it a try and post back if I need more advice and/or if it works ;-)
-
Hello again ;-)
I am now at home and I gave it a try:
1.) I edited ca.cn server.cnf and client.cnf
In all three files I changes the input_password and output_password to the same pass.
I changes CommonName and so on in all three files to the same.after this I did:
chmod u+x bootstrapand than created the certificates with:
./bootstrapAfter this I have these files in the certs directory:
-rw-r--r-- 1 root wheel 70 Jun 6 16:08 .gitignore -rw-r----- 1 root wheel 4260 Jun 6 21:41 01.pem -rw-r--r-- 1 root wheel 148992 Jun 6 21:43 MYCA.tar -rwxr--r-- 1 root wheel 4262 Jun 6 21:08 Makefile -rwxr--r-- 1 root wheel 7821 Jun 6 21:08 README -rwxr--r-- 1 root wheel 2640 Jun 6 21:08 bootstrap -rwxr--r-- 1 root wheel 1317 Jun 6 21:08 ca.cnf -rw-r----- 1 root wheel 1221 Jun 6 21:41 ca.der -rw-r----- 1 root wheel 1751 Jun 6 21:41 ca.key -rw-r----- 1 root wheel 1708 Jun 6 21:41 ca.pem -rwxr--r-- 1 root wheel 1154 Jun 6 21:08 client.cnf -rw-r----- 1 root wheel 0 Jun 6 21:41 client.crt -rw-r----- 1 root wheel 1074 Jun 6 21:41 client.csr -rw-r----- 1 root wheel 1751 Jun 6 21:41 client.key drwxr--r-- 2 root wheel 512 Jun 6 16:10 demoCA -rw-r----- 1 root wheel 245 Jun 6 21:41 dh -rw-r----- 1 root wheel 134 Jun 6 21:41 index.txt -rw-r----- 1 root wheel 21 Jun 6 21:41 index.txt.attr -rw-r----- 1 root wheel 0 Jun 6 21:41 index.txt.old -rw-r----- 1 root wheel 5120 Jun 6 21:41 random -rw-r----- 1 root wheel 3 Jun 6 21:41 serial -rw-r----- 1 root wheel 3 Jun 6 21:41 serial.old -rwxr--r-- 1 root wheel 1155 Jun 6 21:08 server.cnf -rw-r----- 1 root wheel 4260 Jun 6 21:41 server.crt -rw-r----- 1 root wheel 1074 Jun 6 21:41 server.csr -rw-r----- 1 root wheel 1743 Jun 6 21:41 server.key -rw-r----- 1 root wheel 2557 Jun 6 21:41 server.p12 -rw-r----- 1 root wheel 3545 Jun 6 21:41 server.pem -rw-r--r-- 1 root wheel 74240 Jun 6 21:42 v -rwxr--r-- 1 root wheel 578 Jun 6 21:08 xpextensionsWhich files do I need now for the client (Windows XP / Windows 7 ) ?
Thanks again!
–-edit---
After that I configured the eap.conf and I got this error after starting radiusd -X
Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "md5" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/usr/local/etc/raddb/certs/server.key" tls: certificate_file = "/usr/local/etc/raddb/certs/server.pem" tls: CA_file = "/usr/local/etc/raddb/certs/demoCA/ca.pem" tls: private_key_password = "xxxXXXxxx" tls: dh_file = "/usr/local/etc/raddb/certs/dh" tls: random_file = "/usr/local/etc/raddb/certs/random" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = yes tls: check_cert_cn = "%{User-Name}" tls: cipher_list = "DEFAULT" tls: check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd" rlm_eap_tls: Loading the certificate file as a chain rlm_eap: SSL error error:02001002:system library:fopen:No such file or directory rlm_eap_tls: Error reading Trusted root CA list rlm_eap: Failed to initialize type tls radiusd.conf[10]: eap: Module instantiation failed. radiusd.conf[328] Unknown module "eap". radiusd.conf[312] Failed to parse authenticate section. -
Hi Nachtfalke,
you need to modify the eap.conf file first in /etc/raddb. This file defines which protocol (TLS, TTLS etc…) can be used. Since I just wanted to use TLS I uncommented this. Additionally in the TLS sections you will have to config:
private_key_password = "this is your output_password"
private_key_file = /path/to/server.key
certificate_file = /path/to/server.pem
CA_file = /path/to/ca.pem... so now your server is ready. Restart with radiusd -X to show you debugging. You should see that the EAP config is pulled and activated.
On the client side you now need to import the ca.der and client.p12 into the certificate store of Windows (during import of the client.p12 you will be prompted for a password (output_password) ). Now the certificate is available for windows.
Now config your WIFI ... delete the current config and create a new config with WPA2 Enterprise as described here -> http://freeradius.org/doc/EAPTLS.pdf
This should bring everything up and running.
Alexander
P.S. Recently I've moved away from the freeradius installation from pfsense, since it was flaky (this is my experience). I have moved it onto my OSX server which now provides the radius authentication. Your mileage naturally may vary.
-
Hi,
first:
I solved the problem that radiusd wasn't starting. I did a spellingmistake for the ca.crt :(
Now freeRADIUS is running with no errors.second:
as you can see above, there is no client.p12 in my certs folder. Don't know why but I hope I could try it tomorrow with a client.What hardware specs do you have on your pfsense ?
And how many users are connected and authenticated with freeRADIUS ?Thanks
-
Hi Nachtfalke,
concerning the client.p12 … I forgot to mention that this isn't generated by the bootstrap or the "make all" command. You need to either do a "make client" or the openssl commands in the makefile.
from the makefile (execute the openssl for cleint.crt and the the openssl for the client.p12 manually):
client.crt: client.csr ca.pem ca.key
openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key $(PASSWORD_CA) -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnfclient.p12: client.crt
openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12 -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)Currently I'm running about 5 devices over the freeradius server, all with 1 client certificate. the hardware then (when I had it running on pfsense) was an epia board. Now I'm running freeradius of a macMini with Snow Leopard Server running.
Alexander
-
Hi,
everytime I run ./bootstrap I got this error at the end of the client.cnf process
Certificate is to be certified until Jun 4 11:51:20 2021 GMT (3650 days) failed to update database TXT_DB error number 2After this, the client.crt is only 0 bytes - like you could see above.
And because of this I cannot continue with the other openssl commands :(Any ideas ?
-
Hi Nachtfalke,
try to execute the commands manually (extract from the Makefile):
openssl req -new -out client.csr -keyout client.key -config ./client.cnf
openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key $(PASSWORD_CA) -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf
openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12 -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)
where PASSWORD_CA and PASSWORD_CLIENT the respective passwords in your ca.cnf and client.cnf are.
Cheers
Alexander
-
This is the output error - still the same. I do not know where I did something wrong :(
[2.0-RC2][admin@pfsense2.hpa]/usr/local/etc/raddb/certs(8): openssl req -new -out client.csr -keyout client.key -config ./client.cnf Generating a 2048 bit RSA private key .....................................................+++ .........................+++ writing new private key to 'client.key' ----- [2.0-RC2][admin@pfsense2.hpa]/usr/local/etc/raddb/certs(9): openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key Passwort -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf Using configuration from ./client.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 2 (0x2) Validity Not Before: Jun 7 15:10:39 2011 GMT Not After : Jun 4 15:10:39 2021 GMT Subject: countryName = DE stateOrProvinceName = Deutschland organizationName = Polizeiakademie Hessen commonName = freeRADIUS HPA-CA emailAddress = rbs.hpa@polizei.hessen.de X509v3 extensions: X509v3 Extended Key Usage: TLS Web Client Authentication Certificate is to be certified until Jun 4 15:10:39 2021 GMT (3650 days) failed to update database TXT_DB error number 2 [2.0-RC2][admin@pfsense2.hpa]/usr/local/etc/raddb/certs(10): openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12 -passin pass:Passwort -passout pass:Passwort No certificate matches private keyAnd here: The client.crt ist still 0 bytes because of the error above …
[2.0-RC2][admin@pfsense2.hpa]/usr/local/etc/raddb/certs(11): ls -la total 84 drwxr-xr-x 3 root wheel 1024 Jun 7 17:11 . drwxr-x--- 5 root wheel 1024 Jun 6 16:16 .. -rw-r--r-- 1 root wheel 70 Jun 6 16:08 .gitignore -rw-r----- 1 root wheel 4260 Jun 7 17:09 01.pem -rwxrwxrwx 1 root wheel 4260 Jun 6 22:25 Makefile -rwxrwxrwx 1 root wheel 7821 Jun 6 21:08 README -rwxrwxrwx 1 root wheel 2642 Jun 7 13:47 bootstrap -rwxrwxrwx 1 root wheel 1297 Jun 7 13:41 ca.cnf -rw-r----- 1 root wheel 1221 Jun 7 17:09 ca.der -rw-r----- 1 root wheel 1751 Jun 7 17:09 ca.key -rw-r----- 1 root wheel 1708 Jun 7 17:09 ca.pem -rwxrwxrwx 1 root wheel 1134 Jun 7 13:40 client.cnf -rw-r----- 1 root wheel 0 Jun 7 17:10 client.crt -rw-r----- 1 root wheel 1074 Jun 7 17:10 client.csr -rw-r----- 1 root wheel 1743 Jun 7 17:10 client.key -rw-r--r-- 1 root wheel 0 Jun 7 17:11 client.p12 drwxrwxrwx 2 root wheel 512 Jun 7 13:24 demoCA -rw-r----- 1 root wheel 424 Jun 7 17:09 dh -rw-r----- 1 root wheel 134 Jun 7 17:09 index.txt -rw-r----- 1 root wheel 21 Jun 7 17:09 index.txt.attr -rw-r----- 1 root wheel 0 Jun 7 17:09 index.txt.old -rw-r----- 1 root wheel 5120 Jun 7 17:09 random -rw-r----- 1 root wheel 3 Jun 7 17:09 serial -rw-r----- 1 root wheel 3 Jun 7 17:09 serial.old -rwxrwxrwx 1 root wheel 1135 Jun 7 13:40 server.cnf -rw-r----- 1 root wheel 4260 Jun 7 17:09 server.crt -rw-r----- 1 root wheel 1074 Jun 7 17:09 server.csr -rw-r----- 1 root wheel 1751 Jun 7 17:09 server.key -rw-r----- 1 root wheel 2557 Jun 7 17:09 server.p12 -rw-r----- 1 root wheel 3553 Jun 7 17:09 server.pem -rwxrwxrwx 1 root wheel 578 Jun 6 21:08 xpextensions -
Hi Nachtfalke,
you used the "bootstrap" file to create the certificates and I used the make command. I assume that there is some difference. Reading through the README file it states that bootstrap is used to create standard certificate for testing. Maybe some data in the files (index, dh, random ….) do not match the information in the *.cnf files you modified. I would use the makefile.
Can you try a
- make destroycerts
- make clean
- make all
- make client
This is what worked for me (just gave it a try).
Regards
Alexander
-
Hi,
the problem is, that in pfsense there is no "make"…command not found.
I think this is "normal" because pfsense is a firewall solution an noone should or needs to compile something.Perhaps I will try it with the single commands in the "Makefile" or I will test it on a linux live CD.
PS: Do you know if it is possible to do authentication on freeRADIUS using the device MAC address ?
I know freeRADIUS can do this but is it possible with the pfsense freeRADIUS GUI ?
Or do I have to edit the users file manually with different parameters ? I think this is the only way or do you have other experience ? -
Hi,
I uploaded the files to an Ubuntu live CD and then it works with "make" and "make client"
no errors and files with more than zero bytes and p12 files :-)
Tomorrow I will try it with my pfsense and my switches.Thank you very much for your help and taking time for my problem!
I will post back if it works or if I expect more problems :D -
I uploaded the files to an Ubuntu live CD and then it works with "make" and "make client"
no errors and files with more than zero bytes and p12 files :-)
Tomorrow I will try it with my pfsense and my switches.… great that everything is there now. Everything else should be a breeze ...
PS: Do you know if it is possible to do authentication on freeRADIUS using the device MAC address ?
I know freeRADIUS can do this but is it possible with the pfsense freeRADIUS GUI ?
Or do I have to edit the users file manually with different parameters ? I think this is the only way or do you have other experience ?If a MAC authentication is possible, then you definately can do it. You will have to manually edit the necessary files, since there isn't a GUI integration for all the features in freeradius. I personally don't have any experience with this feature.
Cheers
Alexander
-
Hi,
just want to let you know, that I got freeRADIUS on pfsense with my CISCO SG-300 and Windows XP working. The creation of the certificates is much easier under a linux distrubution which has "make" installed than under pfsense ;-)
But now I have another question:
To authenticate to the network I still need a to enter the username and password on the Windows XP machine. The problem is that in my network the PCs are NOT in a domain. They are all workgroup PCs.
And it is common, that many users use the same Windows Logon Name than others and the same password (or no password).Is it possible to enter (AND SAVE) a custom username and password so that the users do not need to enter them every time they connect to the network ?
I read something about "computer certificates" which work before the use will logon into windows.
Thank you!
-
Hi,
just want to let you know, that I got freeRADIUS on pfsense with my CISCO SG-300 and Windows XP working. The creation of the certificates is much easier under a linux distrubution which has "make" installed than under pfsense ;-)
But now I have another question:
To authenticate to the network I still need a to enter the username and password on the Windows XP machine. The problem is that in my network the PCs are NOT in a domain. They are all workgroup PCs.
And it is common, that many users use the same Windows Logon Name than others and the same password (or no password).Is it possible to enter (AND SAVE) a custom username and password so that the users do not need to enter them every time they connect to the network ?
I read something about "computer certificates" which work before the use will logon into windows.
Thank you!
Not quite sure I understand you.
The client certificates are being used for the authentication to the Wifi/Radius Network. I assume this works. As mentioned previously you need to copy the client.p12 and the ca certificate to each client and activate the "certificate authentication" in the wifi settings. This works without additional uid/pw. You have to have TLS (and not TTLS) authentication.
Do you want to have windows logon using a certificate (has nothing to do with wifi/radius)?
REgards
Alexander
-
Hi,
I am not using WiFi.
I would like to authenticate windows machines with certificates against radius. This is working.
If I do not install the client.p12 on the windows machine, I cannot authenticate.But in Windows I have always to enter a username and a password, if I connect the network cable.
The username/password is the same I have to enter in the freeRADIUS webGUI on pfsense.
Is this different to you ? Don't you have to enter a username/password in the freeRADIUS webGUI ?Thanks!
-
Hi Nachtfalke,
I'm using Radius+Certificates for the wifi EAP (WPA2) authentication. So this is to allow/disallow access to my wifi network using certificates.
Reading your last posts you it seems as if you want to use a certificate to log on to windows using a Radius server.
I'm sorry, but I cannot help you with that (if I understood your problem correctly)
Cheers
Alexander
-
Hi,
you didn't understand me correct or I didn't explain it correct.
Take a look at this thread:
http://www.administrator.de/index.php?content=154402#644826Scroll down to the chapter:
Clients für die 802.1x Zugangskontrolle einrichtenAfter I login into windows, with my username and password I can see the desktop, open word an so on.
If I connect my LAN cable to the switch, there appears a hint in the systray "There are additional information needed to access the network". There I have to enter the username/password I entered in the freeRADIUS users tab on pfsense.Windows XP allows you to use the same username and password for this authentication as you used for the windows logon. (This you can see in the third and fith picture in the chapter I told you above: (Clients für die 802.1x Zugangskontrolle einrichten) If you want to use a different username/password then the sixth picture appears.)
I want to save the information in the sixth picture for the entire computer and every user on this computer.
BUT I would be interested in, what your users file of freeradius contains.
I think there is a difference between using an AP or a switch to authenticate with freeradius.
-
Hi,
Ok, now I understand your problem. I've looked at the document you linked. I have one main difference:
in the authentication section it is posted that for the EAP type you need to select "Geschütztes EAP (PEAP)". I have "Smart Card or other Certificate" (this is the other setting).
If you look here -> http://en.wikipedia.org/wiki/Protected_Extensible_Authentication_Protocol
It is described that PEAP is similar to TTLS. It is basically a tunnel that is generated. TTLS or PEAP has an inner and an outer layer. One is the certificate the other is uid/pw. thats why you are being prompted for uid/pw.
for my config I only used EAP (so only the certificate authentication without a tunnel). therefore also the "smart card or other certificate" setting in the EAP type.
Since your computers are not connected to a domain you cannot pass the creditials (thats why you're being prompted).
Now the question is do you need PEAP, or is EAP sufficiant ?
Cheers
Alexander
-
Hi,
I think it would be enough with EAP. It will be better than only MAC address filtering I think.
I tried with "other certificate or smartcard" but I think I missed some checkboxes there.
Do you have a solution for me how to configure it the right way ? -
Nachtfalke,
here are my config screens … in the second screen the "intern-CA" is my CA that is used for the client and server certificate.
I cannot test it on my LAN, since my radius isn't configed for this, but it is identical to my WLAN config. After connecting to the LAN, and aquiring an IP address you should be prompted for the certificate needed for the authentication.
Additional on your Cisco switch can you explicitly config the authentication to EAP ? So that the switch explicitly uses this authentication method.
If this doesn't work, could you post the config of the cisco and also the "radiusd -X" log (this then has the config and also the challenge/response during the authentication.
Regards
Alexander
