FreeRADIUS2 - EAP-TLS and Users Certificates



  • I've been trying to get the FreeRADIUS2 package working with EAP-TLS auth on my local wifi network. Clients able to authenticate against the FreeRADIUS server listening on my LAN just fine, everything is working in that regard. The issue I'm running into is when a user attempts to connect to an AP, after accepting the CA root and server certificate, they are not prompted to select a user certificate if one isn't already installed, they are able to connect without one. I've configured an internal CA, server/user certificates and CRL within the pfSense certificate manager which are defined under Services -> FreeRADIUS -> EAP -> TLS Certificates. "Check to Use pfSense Certificate Manager" and "Check Cert. Issuer" are both enabled and all CA info filled in. I've researched this topic in depth, I've tried power cycling, restarting the FreeRADIUS service, re-installing the package, re-creating certs etc.. users are still able to connect without a certificate.

    Here's the eap.conf:

    
    /usr/local/etc/raddb/eap.conf
    Array	### EAP
    	eap {
    		default_eap_type = tls
    		timer_expire     = 60
    		ignore_unknown_eap_types = no
    		cisco_accounting_username_bug = no
    		max_sessions = 4096
    
    		### DISABLED WEAK EAP TYPES MD5, GTC, LEAP ###
    
    		### EAP-TLS and EAP-TLS with OCSP support
    		tls {
    			certdir = ${confdir}/certs
    			cadir = ${confdir}/certs
    			private_key_password = whatever
    			private_key_file = ${certdir}/server_key.pem
    			certificate_file = ${certdir}/server_cert.pem
    			CA_file = ${cadir}/ca_cert.pem
    			dh_file = ${certdir}/dh
    			random_file = ${certdir}/random
    			fragment_size = 1024
    			include_length = yes
    			check_crl = yes
    			CA_path = ${cadir}
    			check_cert_issuer = "/C=US/ST=xxxxxx/L=xxxxx/O=My Company Ltd/emailAddress=xxxxxxxxx/CN=internal-ca"
    			check_cert_cn = %{User-Name}
    			cipher_list = "DEFAULT"
    			ecdh_curve = "prime256v1"
    			cache {
    			      enable = no
    			      lifetime = 24
    			      max_entries = 255
    			}
    			verify {
    		#     		tmpdir = /tmp/radiusd
    		#    		client = "/path/to/openssl verify -CApath  %{TLS-Client-Cert-Filename}"
    			}
    			ocsp {
    			      enable = no
    			      override_cert_url = no
    			      url = "http://127.0.0.1/ocsp/"
    			}
    		}
    
    		### EAP-TTLS
    		ttls {
    			default_eap_type = md5
    			copy_request_to_tunnel = no
    			use_tunneled_reply = no
    			include_length = yes
    		}	### end ttls
    
    		### EAP-PEAP
    		peap {
    			default_eap_type = mschapv2
    			copy_request_to_tunnel = no
    			use_tunneled_reply = no
    		#	proxy_tunneled_request_as_eap = yes
    			### MS SoH Server is disabled ###
    		}
    		mschapv2 {
    		#	send_error = no
    		}
    	}
    
    

    I can also confirm /usr/local/etc/raddb/ca_cert.pem contains both certificate and CRL.

    Any help would be much appreciated!


  • LAYER 8 Global Moderator

    What client are you using?

    I have this running for windows 7 clients, iphone and ipad running ios 10.2.1 and my sons android phone was authing with it as well.. Not sure what flavor he is running.

    
    [2.3.3-RELEASE][root@pfsense.local.lan]/root: cat /usr/local/etc/raddb/eap.conf
    Array   ### EAP
            eap {
                    default_eap_type = tls
                    timer_expire     = 60
                    ignore_unknown_eap_types = yes
                    cisco_accounting_username_bug = no
                    max_sessions = 4096
    
                    ### DISABLED WEAK EAP TYPES MD5, GTC, LEAP ###
    
                    ### EAP-TLS and EAP-TLS with OCSP support
                    tls {
                            certdir = ${confdir}/certs
                            cadir = ${confdir}/certs
                            private_key_password = whatever
                            private_key_file = ${certdir}/server_key.pem
                            certificate_file = ${certdir}/server_cert.pem
                            CA_file = ${cadir}/ca_cert.pem
                            dh_file = ${certdir}/dh
                            random_file = ${certdir}/random
                            fragment_size = 1024
                            include_length = yes
                            check_crl = yes
                            CA_path = ${cadir}
                            check_cert_issuer = "/C=US/ST=IL/L=Schaumburg/O=none/emailAddress=snipped/CN=freerad-ca"
                            ### check_cert_cn = %{User-Name} ###
                            cipher_list = "DEFAULT"
                            ecdh_curve = "prime256v1"
                            cache {
                                  enable = yes
                                  lifetime = 24
                                  max_entries = 255
                            }
                            verify {
                    #               tmpdir = /tmp/radiusd
                    #               client = "/path/to/openssl verify -CApath  %{TLS-Client-Cert-Filename}"
                            }
                            ocsp {
                                  enable = no
                                  override_cert_url = no
                                  url = "http://127.0.0.1/ocsp/"
                            }
                    }
    
                    ### EAP-TTLS
                    ttls {
                            default_eap_type = tls
                            copy_request_to_tunnel = yes
                            use_tunneled_reply = yes
                            include_length = yes
                    }       ### end ttls
    
                    ### EAP-PEAP
                    peap {
                            default_eap_type = tls
                            copy_request_to_tunnel = yes
                            use_tunneled_reply = yes
                    #       proxy_tunneled_request_as_eap = yes
                            ### MS SoH Server is disabled ###
                    }
                    mschapv2 {
                    #       send_error = no
                    }
            }[2.3.3-RELEASE][root@pfsense.local.lan]/root: 
    /code]
    

    From a quick look.. This seems wrong.

    default_eap_type = md5
    default_eap_type = mschapv2

    in yours.. I can post up my gui settings if you like.



  • In the EAP-TLS section, I also have the "Check Client Certificate CN" checkbox checked.  (And made sure the Common Name in all client certificates I generated is identical to the username in the Users tab.)



  • @dcd018:

    The issue I'm running into is when a user attempts to connect to an AP, after accepting the CA root and server certificate….

    The best practice is to not give the user the ability to select any CA root or server certificates.  This prevents some Man-In-the-Middle attacks on WPA2-Enterprise where an attacker can set up a rogue Access Point with their own CA and server certificate, and the gullible users will be prompted to accept the attacker's certificate.

    What I did for my home network is export the CA certificate from pfSense and install that on all my laptops/phones/etc.  And also exported each user certificate/private key and imported them to each particular device.

    After that, I hardened the settings a bit.  Here's what it looks like in Windows 7.

    • The "pfSense RADIUS" is extra protection and simply makes sure that the server certificate presented = "pfSense RADIUS" in the Common Name.  It's whatever you set up when you generated the RADIUS server certificate; e.g., "radius.pfsense.localdomain" or "radius.example.com".

    • Trusted Root Certification Authorities - The "pfSense CA" for me showed up after I manually installed the CA certificate into Windows.  This anchors the CA to just one choice and reduces the possibility of an attacker purchasing a valid certificate, from say, Entrust or Verisign and using that in their Rogue AP.

    • "Do not prompt user to authorize new servers or trusted…" - reduces some attacks on WPA2-Enterprise.  An attacker's rogue AP connection will simply fail instead of giving the user the option to trust the attacker and join the pwn party.



Log in to reply