Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    FreeRADIUS2 - EAP-TLS and Users Certificates

    Scheduled Pinned Locked Moved pfSense Packages
    5 Posts 4 Posters 3.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dcd018
      last edited by

      I've been trying to get the FreeRADIUS2 package working with EAP-TLS auth on my local wifi network. Clients able to authenticate against the FreeRADIUS server listening on my LAN just fine, everything is working in that regard. The issue I'm running into is when a user attempts to connect to an AP, after accepting the CA root and server certificate, they are not prompted to select a user certificate if one isn't already installed, they are able to connect without one. I've configured an internal CA, server/user certificates and CRL within the pfSense certificate manager which are defined under Services -> FreeRADIUS -> EAP -> TLS Certificates. "Check to Use pfSense Certificate Manager" and "Check Cert. Issuer" are both enabled and all CA info filled in. I've researched this topic in depth, I've tried power cycling, restarting the FreeRADIUS service, re-installing the package, re-creating certs etc.. users are still able to connect without a certificate.

      Here's the eap.conf:

      
      /usr/local/etc/raddb/eap.conf
      Array	### EAP
      	eap {
      		default_eap_type = tls
      		timer_expire     = 60
      		ignore_unknown_eap_types = no
      		cisco_accounting_username_bug = no
      		max_sessions = 4096
      
      		### DISABLED WEAK EAP TYPES MD5, GTC, LEAP ###
      
      		### EAP-TLS and EAP-TLS with OCSP support
      		tls {
      			certdir = ${confdir}/certs
      			cadir = ${confdir}/certs
      			private_key_password = whatever
      			private_key_file = ${certdir}/server_key.pem
      			certificate_file = ${certdir}/server_cert.pem
      			CA_file = ${cadir}/ca_cert.pem
      			dh_file = ${certdir}/dh
      			random_file = ${certdir}/random
      			fragment_size = 1024
      			include_length = yes
      			check_crl = yes
      			CA_path = ${cadir}
      			check_cert_issuer = "/C=US/ST=xxxxxx/L=xxxxx/O=My Company Ltd/emailAddress=xxxxxxxxx/CN=internal-ca"
      			check_cert_cn = %{User-Name}
      			cipher_list = "DEFAULT"
      			ecdh_curve = "prime256v1"
      			cache {
      			      enable = no
      			      lifetime = 24
      			      max_entries = 255
      			}
      			verify {
      		#     		tmpdir = /tmp/radiusd
      		#    		client = "/path/to/openssl verify -CApath  %{TLS-Client-Cert-Filename}"
      			}
      			ocsp {
      			      enable = no
      			      override_cert_url = no
      			      url = "http://127.0.0.1/ocsp/"
      			}
      		}
      
      		### EAP-TTLS
      		ttls {
      			default_eap_type = md5
      			copy_request_to_tunnel = no
      			use_tunneled_reply = no
      			include_length = yes
      		}	### end ttls
      
      		### EAP-PEAP
      		peap {
      			default_eap_type = mschapv2
      			copy_request_to_tunnel = no
      			use_tunneled_reply = no
      		#	proxy_tunneled_request_as_eap = yes
      			### MS SoH Server is disabled ###
      		}
      		mschapv2 {
      		#	send_error = no
      		}
      	}
      
      

      I can also confirm /usr/local/etc/raddb/ca_cert.pem contains both certificate and CRL.

      Any help would be much appreciated!

      K 1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        What client are you using?

        I have this running for windows 7 clients, iphone and ipad running ios 10.2.1 and my sons android phone was authing with it as well.. Not sure what flavor he is running.

        
        [2.3.3-RELEASE][root@pfsense.local.lan]/root: cat /usr/local/etc/raddb/eap.conf
        Array   ### EAP
                eap {
                        default_eap_type = tls
                        timer_expire     = 60
                        ignore_unknown_eap_types = yes
                        cisco_accounting_username_bug = no
                        max_sessions = 4096
        
                        ### DISABLED WEAK EAP TYPES MD5, GTC, LEAP ###
        
                        ### EAP-TLS and EAP-TLS with OCSP support
                        tls {
                                certdir = ${confdir}/certs
                                cadir = ${confdir}/certs
                                private_key_password = whatever
                                private_key_file = ${certdir}/server_key.pem
                                certificate_file = ${certdir}/server_cert.pem
                                CA_file = ${cadir}/ca_cert.pem
                                dh_file = ${certdir}/dh
                                random_file = ${certdir}/random
                                fragment_size = 1024
                                include_length = yes
                                check_crl = yes
                                CA_path = ${cadir}
                                check_cert_issuer = "/C=US/ST=IL/L=Schaumburg/O=none/emailAddress=snipped/CN=freerad-ca"
                                ### check_cert_cn = %{User-Name} ###
                                cipher_list = "DEFAULT"
                                ecdh_curve = "prime256v1"
                                cache {
                                      enable = yes
                                      lifetime = 24
                                      max_entries = 255
                                }
                                verify {
                        #               tmpdir = /tmp/radiusd
                        #               client = "/path/to/openssl verify -CApath  %{TLS-Client-Cert-Filename}"
                                }
                                ocsp {
                                      enable = no
                                      override_cert_url = no
                                      url = "http://127.0.0.1/ocsp/"
                                }
                        }
        
                        ### EAP-TTLS
                        ttls {
                                default_eap_type = tls
                                copy_request_to_tunnel = yes
                                use_tunneled_reply = yes
                                include_length = yes
                        }       ### end ttls
        
                        ### EAP-PEAP
                        peap {
                                default_eap_type = tls
                                copy_request_to_tunnel = yes
                                use_tunneled_reply = yes
                        #       proxy_tunneled_request_as_eap = yes
                                ### MS SoH Server is disabled ###
                        }
                        mschapv2 {
                        #       send_error = no
                        }
                }[2.3.3-RELEASE][root@pfsense.local.lan]/root: 
        /code]
        

        From a quick look.. This seems wrong.

        default_eap_type = md5
        default_eap_type = mschapv2

        in yours.. I can post up my gui settings if you like.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • F
          Finger79
          last edited by

          In the EAP-TLS section, I also have the "Check Client Certificate CN" checkbox checked.  (And made sure the Common Name in all client certificates I generated is identical to the username in the Users tab.)

          1 Reply Last reply Reply Quote 1
          • F
            Finger79
            last edited by

            @dcd018:

            The issue I'm running into is when a user attempts to connect to an AP, after accepting the CA root and server certificate….

            The best practice is to not give the user the ability to select any CA root or server certificates.  This prevents some Man-In-the-Middle attacks on WPA2-Enterprise where an attacker can set up a rogue Access Point with their own CA and server certificate, and the gullible users will be prompted to accept the attacker's certificate.

            What I did for my home network is export the CA certificate from pfSense and install that on all my laptops/phones/etc.  And also exported each user certificate/private key and imported them to each particular device.

            After that, I hardened the settings a bit.  Here's what it looks like in Windows 7.

            • The "pfSense RADIUS" is extra protection and simply makes sure that the server certificate presented = "pfSense RADIUS" in the Common Name.  It's whatever you set up when you generated the RADIUS server certificate; e.g., "radius.pfsense.localdomain" or "radius.example.com".

            • Trusted Root Certification Authorities - The "pfSense CA" for me showed up after I manually installed the CA certificate into Windows.  This anchors the CA to just one choice and reduces the possibility of an attacker purchasing a valid certificate, from say, Entrust or Verisign and using that in their Rogue AP.

            • "Do not prompt user to authorize new servers or trusted…" - reduces some attacks on WPA2-Enterprise.  An attacker's rogue AP connection will simply fail instead of giving the user the option to trust the attacker and join the pwn party.

            EAP-TLS_Win7.png
            EAP-TLS_Win7.png_thumb

            1 Reply Last reply Reply Quote 0
            • K
              Koby Peleg Hen @dcd018
              last edited by

              @dcd018
              Hello Everyone , I face the issue now.
              User able to log in without any certificate.....

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.