FreeRADIUS 2 with EAP-TLS

rmessina

Can someone please tell me if the CRL is still broken in the freeradius package for EAP-TLS authentication???? Please

johnpoz

I am running eap-tls with pfsense 2.2.6 x64, freerad2 package 1.6.19 and not having any issues..  Using CA I created on pfsense.

I did a test of revoking a cert once it was using it to install, and worked just as you would expect.  I have multiple clients using this.  Windows 7 laptops, iphone 5c and 5s, Ipad and android nexus 4 phone.

Biggest roadblock I found was that the CA in pfsense doesn't put a password when you export the certs, and you have to run them through openssl to add a password so can import on apple devices.

I see threads were some stuff doesn't work with windows 10, but not currently using any win 10 clients so have not run into that issue.

You can see in the attached, that in freerad package I have a crl listed..

rmessina

Pfsense 2.2.4 x64 FreeRad2 1.6.19

My CA was created on pfsense with no issues and works fine for VPN and for wifi minus the revoke feature.  When I revoke a certificate it shows as revoked and I restart the freeradius service as requested.  The wireless client is still able to connect even though the cert is "revoked".  The issue is described in detail a few posts above but it requires a lot of manual intervention to workaround the issue. I was able to check the box in the openvpn client export package to password protect the certificate before exporting (that may make your life a little easier instead of using openssl to add a password for apple devices).

So you're saying that you're able to revoke a certificate and after revoking the cert the client can no longer access wireless using the freeradius package, pfsense cert manager, and eap-tls authentication for wireless?

rmessina

An update..

I checked my eap.conf file to confirm what XanALaOM00 stated in a previous post.  It does have check_crl = yes, and the ca_cert.pem file does appear to have the CA cert and CRL combined when I view the file.  I'm perplexed at why the certs that are being revoked can still authenticate.

rmessina

I found the issue.  I had a space in my CRL name that was causing the issue.  I re-created the CRL without a space and now I can successfully revoke client certs and they no longer have access.  Probably should be sent on to pfsense development to throw an error when some silly user tries to  create a CRL with a space in the name.  ;D ;D ;D

johnpoz

"I was able to check the box in the openvpn client export package to password protect the certificate before exporting"

Not using the same CA as the my vpn CA.. Guess if I was maybe that option would work..  But in the CA when you go to download the ca cert key bundle there is no password on it…  Which causes an issue for many clients to install the certs.

gsiemon

Thanks for figuring this out.  I couldn't get this to work either but managed to sort it out after changing my CRL name to one without any spaces.  I also needed to have at least one Revoked Certificate otherwise FreeRadius didn't seem to like just looking at the ca_cert.pem file with just the CA Certificate in it and no CRL data.

pfusermtj

This is an old thread, and I apologize in advance if solutions have been posted elsewhere…

I have found the workaround solutions above dont quite work, i.e. a change in the radius config (i.e. a user attribute), will cause the radius.conf and the cert files to be overwritten.  A little background on my system:

-Free radius v3
-pfsense v2.42 p1

Now, i think i may have found a workaround, that is "sticky".  It follows the same method as listed in this thread, but instead of appending the CA/CRL in the same file via the CAT command, append the CRL via the pfsense GUI to the CA cert body.  This way, every time you reload freeradius, it reads form the PFSENSE Cert files, and now everything works.

Also, i found if you configure sub CA's, free radius has issues with that.  So, a work around for that, is to:

-create your root CA
-create sub CA
-create crl for sub ca
-then, "import" a CA.  the cert body will be the root->sub->crl
-create free radius server cert
-in free radius, use the "import" CA, and the free radius server cert

..i found if you dont do this, free radius will error with error 19, self signed in the chain.  Understand the reason to use sub certs is for security, as i understand root CA's are designed to create sub CA's, not user or server certs.  This way, if sub CA is copromised, you dont have to recreate cert chain, just that particular sub ca.

I dont claim to be a PKI expert, but the above worked for me.

---note, for revocation to work, you will have to re-paste the CRL info back into the "import" cert, and restart radius.  note, that restarting radius via the GUI, i.e services click the restart gear, does not work.  I found i needed to make a change to free radius, i.e change a setting in the eap config, save it, then set it back, svae it.  this seems to trigger a true radius restart.

hope this helps

paolone919191

Still broken, as of now

paolone919191

patched by me:

https://github.com/pfsense/FreeBSD-ports/pull/632

With this patch, when you revoke a certificate you need to go to radius config -> eap and "SAVE" to regenerate the CA+CRL file.

Next patch coult be add a funcion similar to openvpn_refresh_crls() that should be called from /usr/local/www/system_crlmanager.php when you update all the other CRLs.

This is my 2nd day on PFSense, so first I need to see if there is a functions file dedicated to components not installed as default and then write the function. Any advice?