FreeRADIUS 3 and Wildcard Certs

0

I am setting up a new FreeRADIUS server here on campus, jumping from v1 to v3 (I was not here when the original was setup). Things seem to be working fine, but I do not understand how the certificates portion works when using Windows 7.

We have a wildcard SSL cert for our domain. Can I use that same cert with our RADIUS server to forego the need to import our CA cert into each client?

If so, how would I go about doing so?

Thank you for your help.

Bob Martens

Posted 2015-05-18T19:38:46.363

Reputation: 3

Does your domain not use its own certificates by its own CA? You should use these, if possible. – Michael Hampton – 2015-05-18T19:41:58.380

We do in some instances, and we can if need be. Right now we are trying to eliminate steps if we can and having students install the certificate on their machine to gain access to our wifi network is seen as an erroneous task. – Bob Martens – 2015-05-18T19:52:21.093

These are basically BYOD devices, then? In that case, you should have students install the server certificate. This is a bit of a pain on XP, Vista and Windows 7 clients, which need to be set up in advance; anything else (8/8.1, iOS, Android) will import the server certificate the first time the user signs in. Note that you can't use public or wildcard certificates anyway as Windows will reject them. For a student network I'd maintain a separate CA for this anyway.

– Michael Hampton – 2015-05-18T20:00:13.130

That seems reasonable. I'll pursue that course. Thanks! – Bob Martens – 2015-05-18T20:19:58.730

I'm not sure what MichaelHampton meant by public certificates, but you can certainly use certificates signed by public, pre-installed, root CAs. – Arran Cudbard-Bell – 2015-05-18T21:58:30.743

It seems like when I do, I still need to load a server cert since Windows 7 still balks. Also possible that I don't have things configured correctly. – Bob Martens – 2015-05-18T22:02:20.707

IIRC the entire certificate chain needs to be available to FreeRADIUS. I think you put the root CA and all intermediary CAs in the same file as the server cert. – Arran Cudbard-Bell – 2015-05-18T22:05:07.170

That will be someplace I start. What I was using was a bundle from the CA of three certs. – Bob Martens – 2015-05-18T22:07:33.747

Config notes confirm you need to put them all in the server.pem file: https://github.com/FreeRADIUS/freeradius-server/blob/v3.1.x/raddb/mods-available/eap#L184

– Arran Cudbard-Bell – 2015-05-18T22:14:56.683

Answers

1

No. You still need the CA cert to be present on each supplicant machine, and trusted by each supplicant.

Even if you present a certificate signed by a pre-installed CA, most supplicants require the user to explicitly trust that CA before accepting the certificate.

802.1X, 802.11i and no EAP standards that i'm aware of, specify a relationship between the CN of the certificate presented to the supplicant, and the SSID of the network, so the CN can be anything you want, with the caveat that some windows supplicants do not accept wildcard certs (apparently, i've never verified this personally).

The same certificate may be presented by multiple RADIUS servers in the same cluster, though if you use a front end load balancer, it must ensure that all packets in the EAP conversation go to the backend server. Because of the possibility that many users will configure an anonymous outer identity, this is best done using the Calling-Station-ID attribute in the RADIUS packet.

For added security, if you're using a pre-installed, public, root CA, it's best if you configure the supplicant to verify the CN in the certificate matches a preset value. This prevents spoofing attacks using other certificates signed by the same public root CA.

Though, because of the possibility of misconfigured supplicants, it's best practice to avoid public root CAs, roll your own CA, distribute this to users of the network in an importable network profile, and in this profile enable CN verification.

There are multiple tools which can generate these profiles for different platforms/supplicants. If you're planning on deploying eduroam, you may want to check out Eduroam CAT.

There's also Cloudpath's xpressconnect which is a dissolvable installer, which in addition to installing the profiles, may act as a temporary NAC agent, verifying patch levels and driver versions.

Arran Cudbard-Bell

Posted 2015-05-18T19:38:46.363

Reputation: 1 178

Thank you for the response. I'm going to go ahead and forego what I was thinking (incorrectly) and push ahead with our own certificates. I'll just need to put together some documentation to hopefully head off the questions. – Bob Martens – 2015-05-18T21:46:32.467

1Top tip for this, is to never rely on the users to configure the supplicants correctly. There'll always be some (a significant number) who get it wrong, irrespective of the quality of the documentation you provide.

Automated installers dramatically reduce the load on the helpdesk, and increase the security of the network.

I pretty much lived in client services for the first three weeks of the term, when University of Sussex took the wired 802.1X 'ResNet' service live in 2008. – Arran Cudbard-Bell – 2015-05-18T21:55:43.360