Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    FreeRadius / EAP-TLS: Client certificate cannot be found

    Scheduled Pinned Locked Moved General pfSense Questions
    radiuseap-tlscertificate
    26 Posts 4 Posters 6.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • johnpozJ
      johnpoz LAYER 8 Global Moderator
      last edited by johnpoz

      Here I just fired up debug

      Ready to process requests
(0) Received Access-Request Id 46 from 192.168.2.2:54594 to 192.168.2.253:1812 length 218
(0)   User-Name = "i5-win.local.lan"
(0)   NAS-Identifier = "802aa8144f07"
(0)   Called-Station-Id = "80-2A-A8-14-4F-07:unifi-ent"
(0)   NAS-Port-Type = Wireless-802.11
(0)   Service-Type = Framed-User
(0)   Calling-Station-Id = "38-59-F9-5F-63-C1"
(0)   Connect-Info = "CONNECT 0Mbps 802.11b"
(0)   Acct-Session-Id = "CE20F0FE770BE285"
(0)   WLAN-Pairwise-Cipher = 1027076
(0)   WLAN-Group-Cipher = 1027076
(0)   WLAN-AKM-Suite = 1027073
(0)   Framed-MTU = 1400
(0)   EAP-Message = 0x022f00150169352d77696e2e6c6f63616c2e6c616e
(0)   Message-Authenticator = 0x4e601cac6b1b7beb7d8b7a1515aaeb9f
(0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(0)   authorize {
(0)     [preprocess] = ok
(0)     [chap] = noop
(0)     [mschap] = noop
(0)     [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "i5-win.local.lan", skipping NULL due to config.
(0)     [suffix] = noop
(0) ntdomain: Checking for prefix before "\"
(0) ntdomain: No '\' in User-Name = "i5-win.local.lan", skipping NULL due to config.
(0)     [ntdomain] = noop
(0) eap: Peer sent EAP Response (code 2) ID 47 length 21
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(0)     [eap] = ok
(0)   } # authorize = ok
(0) Found Auth-Type = eap
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(0)   authenticate {
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Calling submodule eap_tls to process data
(0) eap_tls: Initiating new EAP-TLS session
(0) eap_tls: Setting verify mode to require certificate from client
(0) eap_tls: [eaptls start] = request
(0) eap: Sending EAP Request (code 1) ID 48 length 6
(0) eap: EAP session adding &reply:State = 0xd6e29e6ad6d29369
(0)     [eap] = handled
(0)   } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(0)   Challenge { ... } # empty sub-section is ignored
(0) Sent Access-Challenge Id 46 from 192.168.2.253:1812 to 192.168.2.2:54594 length 0
(0)   EAP-Message = 0x013000060d20
(0)   Message-Authenticator = 0x00000000000000000000000000000000
(0)   State = 0xd6e29e6ad6d29369189a0f067167850f
(0) Finished request

      How did you ever think it would work without the key on the client??? You need to install the key on the client as well..

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 24.11 | Lab VMs 2.8, 24.11

      1 Reply Last reply Reply Quote 0
      • D
        DaveU
        last edited by

        😀 well.... as I said, I'm neither a network specialist nor a security specialist...

        The docs say that "if space does not work you can add a password..." So I assume that the openssl pkcs12 -export command adds a password to the .p12 file when exporting the cert?

        I must apologize for my ignorance, but I'm not sure about how I should make the correct openssl command in my case. I understand the "-out user.p12" and the "-export", but the rest...

        Or maybe the Cert.Manager database is a set of flat files in certain directory? Then I only need to figure out the directory where to execute the command... So ca.crt is the CA, user.crt is the client certificate, user.key is the private key for user.crt... but how to specify the password?

        K 1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator
          last edited by johnpoz

          download the certs and key to your machine - and run openssl there, don't try and do it on pfsense directly.

          Openssl will run on anything windows, mac, linux... Guess you can put the files directly on pfsense - but no your not going to find them stored as files - they are in the xml config file..

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          1 Reply Last reply Reply Quote 0
          • K
            Konstanti @DaveU
            last edited by

            @DaveU said in FreeRadius / EAP-TLS: Client certificate cannot be found:

            The docs say that "if space does not work you can add a password..." So I assume that the openssl pkcs12 -export command adds a password to the .p12 file when exporting the cert?
            I must apologize for my ignorance, but I'm not sure about how I should make the correct openssl command in my case. I understand the "-out user.p12" and the "-export", but the rest...
            Or maybe the Cert.Manager database is a set of flat files in certain directory? Then I only need to figure out the directory where to execute the command... So ca.crt is the CA, user.crt is the client certificate, user.key is the private key for user.crt... but how to specify the password?

            openssl pkcs12 -in peerCert.pem -inkey peerKey.pem -certfile caCert.pem -export -out peer.p12

            1 Reply Last reply Reply Quote 0
            • D
              DaveU
              last edited by

              @johnpoz @Konstanti thank you both for your kind assistance and patience with me!

              It was just as I anticipated in my OP ("I must have done some beginner's error but seem to be blind for that..."). I only missed that part of pfSense documentation which mentioned about some clients refusing to load the .p12 file without password - and that I should use openssl in my Windows workstation to create the .p12 archive with a password.

              With that information pointed to me, I was able to do my first certificate based EAP-TLS authentication over WLAN a few minutes ago. I think now I might have all the pieces I need to complete my configuration.

              Tomorrow I'll proceed to the wired connections and will also play a little around with the user vs. device authentication using EAP-MSCHAP v2... (today I was able to use user authentication but for some reason not the device authentication, and I'd like to understand why...)

              But anyway, thank you so much!

              D 1 Reply Last reply Reply Quote 0
              • D
                DaveU @DaveU
                last edited by DaveU

                After playing around for a little while I made an interesting discovery that I have not been able to find an explanation to...

                FreeRadius EAP Settings has a check box "Check Client Certificate CN" ("When enabled, the Common Name of the client certificate must match the username set in 'FreeRADIUS > Users'").

                When using a certificate to authenticate, it seems to me that the certificate CN would NOT be checked against the Users database. Regardless of the users I have added, I always get error messages like below when I have that check box checked:

                • Nov 30 17:33:15 radiusd 1388 tls: Certificate CN (K14) does not match specified value (host/K14)!
                • Nov 30 17:33:15 radiusd 1388 tls: TLS_accept: Error in error
                • Nov 30 17:33:15 radiusd 1388 (4) Login incorrect (Failed retrieving values required to evaluate condition): [host/K14/<via Auth-Type = eap>] (from client SW21 port 2 cli xx-xx-xx-xx-xx-xx) host/K14 -

                So far I have not been able to figure how to effectively enable the client cert. CN check.

                I wonder if this is also some stupid beginner's mistake, or is this something else?

                And where does this "host/" prefix come from? At least it seems to be independent of the 802.1X authentication mode in the client (User vs. computer authentication)...

                When the check box is not checked, authentication with the certificate succeeds without any problems.

                FWIW, Radius debug log reveals:

                • (2) files: users: Matched entry host/K14 at line 2
                • (2) [files] = ok

                ...so it seems that it indeed performs the check against user database where I have an entry "host/K14".

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.