FreeRadius / EAP-TLS: Client certificate cannot be found
-
Here I just fired up debug
Ready to process requests (0) Received Access-Request Id 46 from 192.168.2.2:54594 to 192.168.2.253:1812 length 218 (0) User-Name = "i5-win.local.lan" (0) NAS-Identifier = "802aa8144f07" (0) Called-Station-Id = "80-2A-A8-14-4F-07:unifi-ent" (0) NAS-Port-Type = Wireless-802.11 (0) Service-Type = Framed-User (0) Calling-Station-Id = "38-59-F9-5F-63-C1" (0) Connect-Info = "CONNECT 0Mbps 802.11b" (0) Acct-Session-Id = "CE20F0FE770BE285" (0) WLAN-Pairwise-Cipher = 1027076 (0) WLAN-Group-Cipher = 1027076 (0) WLAN-AKM-Suite = 1027073 (0) Framed-MTU = 1400 (0) EAP-Message = 0x022f00150169352d77696e2e6c6f63616c2e6c616e (0) Message-Authenticator = 0x4e601cac6b1b7beb7d8b7a1515aaeb9f (0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (0) authorize { (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "i5-win.local.lan", skipping NULL due to config. (0) [suffix] = noop (0) ntdomain: Checking for prefix before "\" (0) ntdomain: No '\' in User-Name = "i5-win.local.lan", skipping NULL due to config. (0) [ntdomain] = noop (0) eap: Peer sent EAP Response (code 2) ID 47 length 21 (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = eap (0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (0) authenticate { (0) eap: Peer sent packet with method EAP Identity (1) (0) eap: Calling submodule eap_tls to process data (0) eap_tls: Initiating new EAP-TLS session (0) eap_tls: Setting verify mode to require certificate from client (0) eap_tls: [eaptls start] = request (0) eap: Sending EAP Request (code 1) ID 48 length 6 (0) eap: EAP session adding &reply:State = 0xd6e29e6ad6d29369 (0) [eap] = handled (0) } # authenticate = handled (0) Using Post-Auth-Type Challenge (0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (0) Challenge { ... } # empty sub-section is ignored (0) Sent Access-Challenge Id 46 from 192.168.2.253:1812 to 192.168.2.2:54594 length 0 (0) EAP-Message = 0x013000060d20 (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) State = 0xd6e29e6ad6d29369189a0f067167850f (0) Finished request
How did you ever think it would work without the key on the client??? You need to install the key on the client as well..
-
well.... as I said, I'm neither a network specialist nor a security specialist...
The docs say that "if space does not work you can add a password..." So I assume that the openssl pkcs12 -export command adds a password to the .p12 file when exporting the cert?
I must apologize for my ignorance, but I'm not sure about how I should make the correct openssl command in my case. I understand the "-out user.p12" and the "-export", but the rest...
Or maybe the Cert.Manager database is a set of flat files in certain directory? Then I only need to figure out the directory where to execute the command... So ca.crt is the CA, user.crt is the client certificate, user.key is the private key for user.crt... but how to specify the password?
-
download the certs and key to your machine - and run openssl there, don't try and do it on pfsense directly.
Openssl will run on anything windows, mac, linux... Guess you can put the files directly on pfsense - but no your not going to find them stored as files - they are in the xml config file..
-
@DaveU said in FreeRadius / EAP-TLS: Client certificate cannot be found:
The docs say that "if space does not work you can add a password..." So I assume that the openssl pkcs12 -export command adds a password to the .p12 file when exporting the cert?
I must apologize for my ignorance, but I'm not sure about how I should make the correct openssl command in my case. I understand the "-out user.p12" and the "-export", but the rest...
Or maybe the Cert.Manager database is a set of flat files in certain directory? Then I only need to figure out the directory where to execute the command... So ca.crt is the CA, user.crt is the client certificate, user.key is the private key for user.crt... but how to specify the password?openssl pkcs12 -in peerCert.pem -inkey peerKey.pem -certfile caCert.pem -export -out peer.p12
-
@johnpoz @Konstanti thank you both for your kind assistance and patience with me!
It was just as I anticipated in my OP ("I must have done some beginner's error but seem to be blind for that..."). I only missed that part of pfSense documentation which mentioned about some clients refusing to load the .p12 file without password - and that I should use openssl in my Windows workstation to create the .p12 archive with a password.
With that information pointed to me, I was able to do my first certificate based EAP-TLS authentication over WLAN a few minutes ago. I think now I might have all the pieces I need to complete my configuration.
Tomorrow I'll proceed to the wired connections and will also play a little around with the user vs. device authentication using EAP-MSCHAP v2... (today I was able to use user authentication but for some reason not the device authentication, and I'd like to understand why...)
But anyway, thank you so much!
-
After playing around for a little while I made an interesting discovery that I have not been able to find an explanation to...
FreeRadius EAP Settings has a check box "Check Client Certificate CN" ("When enabled, the Common Name of the client certificate must match the username set in 'FreeRADIUS > Users'").
When using a certificate to authenticate, it seems to me that the certificate CN would NOT be checked against the Users database. Regardless of the users I have added, I always get error messages like below when I have that check box checked:
- Nov 30 17:33:15 radiusd 1388 tls: Certificate CN (K14) does not match specified value (host/K14)!
- Nov 30 17:33:15 radiusd 1388 tls: TLS_accept: Error in error
- Nov 30 17:33:15 radiusd 1388 (4) Login incorrect (Failed retrieving values required to evaluate condition): [host/K14/<via Auth-Type = eap>] (from client SW21 port 2 cli xx-xx-xx-xx-xx-xx) host/K14 -
So far I have not been able to figure how to effectively enable the client cert. CN check.
I wonder if this is also some stupid beginner's mistake, or is this something else?
And where does this "host/" prefix come from? At least it seems to be independent of the 802.1X authentication mode in the client (User vs. computer authentication)...
When the check box is not checked, authentication with the certificate succeeds without any problems.
FWIW, Radius debug log reveals:
- (2) files: users: Matched entry host/K14 at line 2
- (2) [files] = ok
...so it seems that it indeed performs the check against user database where I have an entry "host/K14".