FreeRADIUS2 - EAP-TLS and Users Certificates
-
I've been trying to get the FreeRADIUS2 package working with EAP-TLS auth on my local wifi network. Clients able to authenticate against the FreeRADIUS server listening on my LAN just fine, everything is working in that regard. The issue I'm running into is when a user attempts to connect to an AP, after accepting the CA root and server certificate, they are not prompted to select a user certificate if one isn't already installed, they are able to connect without one. I've configured an internal CA, server/user certificates and CRL within the pfSense certificate manager which are defined under Services -> FreeRADIUS -> EAP -> TLS Certificates. "Check to Use pfSense Certificate Manager" and "Check Cert. Issuer" are both enabled and all CA info filled in. I've researched this topic in depth, I've tried power cycling, restarting the FreeRADIUS service, re-installing the package, re-creating certs etc.. users are still able to connect without a certificate.
Here's the eap.conf:
/usr/local/etc/raddb/eap.conf Array ### EAP eap { default_eap_type = tls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 ### DISABLED WEAK EAP TYPES MD5, GTC, LEAP ### ### EAP-TLS and EAP-TLS with OCSP support tls { certdir = ${confdir}/certs cadir = ${confdir}/certs private_key_password = whatever private_key_file = ${certdir}/server_key.pem certificate_file = ${certdir}/server_cert.pem CA_file = ${cadir}/ca_cert.pem dh_file = ${certdir}/dh random_file = ${certdir}/random fragment_size = 1024 include_length = yes check_crl = yes CA_path = ${cadir} check_cert_issuer = "/C=US/ST=xxxxxx/L=xxxxx/O=My Company Ltd/emailAddress=xxxxxxxxx/CN=internal-ca" check_cert_cn = %{User-Name} cipher_list = "DEFAULT" ecdh_curve = "prime256v1" cache { enable = no lifetime = 24 max_entries = 255 } verify { # tmpdir = /tmp/radiusd # client = "/path/to/openssl verify -CApath %{TLS-Client-Cert-Filename}" } ocsp { enable = no override_cert_url = no url = "http://127.0.0.1/ocsp/" } } ### EAP-TTLS ttls { default_eap_type = md5 copy_request_to_tunnel = no use_tunneled_reply = no include_length = yes } ### end ttls ### EAP-PEAP peap { default_eap_type = mschapv2 copy_request_to_tunnel = no use_tunneled_reply = no # proxy_tunneled_request_as_eap = yes ### MS SoH Server is disabled ### } mschapv2 { # send_error = no } }I can also confirm /usr/local/etc/raddb/ca_cert.pem contains both certificate and CRL.
Any help would be much appreciated!
-
What client are you using?
I have this running for windows 7 clients, iphone and ipad running ios 10.2.1 and my sons android phone was authing with it as well.. Not sure what flavor he is running.
[2.3.3-RELEASE][root@pfsense.local.lan]/root: cat /usr/local/etc/raddb/eap.conf Array ### EAP eap { default_eap_type = tls timer_expire = 60 ignore_unknown_eap_types = yes cisco_accounting_username_bug = no max_sessions = 4096 ### DISABLED WEAK EAP TYPES MD5, GTC, LEAP ### ### EAP-TLS and EAP-TLS with OCSP support tls { certdir = ${confdir}/certs cadir = ${confdir}/certs private_key_password = whatever private_key_file = ${certdir}/server_key.pem certificate_file = ${certdir}/server_cert.pem CA_file = ${cadir}/ca_cert.pem dh_file = ${certdir}/dh random_file = ${certdir}/random fragment_size = 1024 include_length = yes check_crl = yes CA_path = ${cadir} check_cert_issuer = "/C=US/ST=IL/L=Schaumburg/O=none/emailAddress=snipped/CN=freerad-ca" ### check_cert_cn = %{User-Name} ### cipher_list = "DEFAULT" ecdh_curve = "prime256v1" cache { enable = yes lifetime = 24 max_entries = 255 } verify { # tmpdir = /tmp/radiusd # client = "/path/to/openssl verify -CApath %{TLS-Client-Cert-Filename}" } ocsp { enable = no override_cert_url = no url = "http://127.0.0.1/ocsp/" } } ### EAP-TTLS ttls { default_eap_type = tls copy_request_to_tunnel = yes use_tunneled_reply = yes include_length = yes } ### end ttls ### EAP-PEAP peap { default_eap_type = tls copy_request_to_tunnel = yes use_tunneled_reply = yes # proxy_tunneled_request_as_eap = yes ### MS SoH Server is disabled ### } mschapv2 { # send_error = no } }[2.3.3-RELEASE][root@pfsense.local.lan]/root: /code]From a quick look.. This seems wrong.
default_eap_type = md5
default_eap_type = mschapv2in yours.. I can post up my gui settings if you like.
-
In the EAP-TLS section, I also have the "Check Client Certificate CN" checkbox checked. (And made sure the Common Name in all client certificates I generated is identical to the username in the Users tab.)
-
The issue I'm running into is when a user attempts to connect to an AP, after accepting the CA root and server certificate….
The best practice is to not give the user the ability to select any CA root or server certificates. This prevents some Man-In-the-Middle attacks on WPA2-Enterprise where an attacker can set up a rogue Access Point with their own CA and server certificate, and the gullible users will be prompted to accept the attacker's certificate.
What I did for my home network is export the CA certificate from pfSense and install that on all my laptops/phones/etc. And also exported each user certificate/private key and imported them to each particular device.
After that, I hardened the settings a bit. Here's what it looks like in Windows 7.
-
The "pfSense RADIUS" is extra protection and simply makes sure that the server certificate presented = "pfSense RADIUS" in the Common Name. It's whatever you set up when you generated the RADIUS server certificate; e.g., "radius.pfsense.localdomain" or "radius.example.com".
-
Trusted Root Certification Authorities - The "pfSense CA" for me showed up after I manually installed the CA certificate into Windows. This anchors the CA to just one choice and reduces the possibility of an attacker purchasing a valid certificate, from say, Entrust or Verisign and using that in their Rogue AP.
-
"Do not prompt user to authorize new servers or trusted…" - reduces some attacks on WPA2-Enterprise. An attacker's rogue AP connection will simply fail instead of giving the user the option to trust the attacker and join the pwn party.
-
