Discussion:
Does FreeRADIUS support PEAPv0/EAP-TLS?
Jason Wittlin-Cohen
2008-12-09 00:00:06 UTC
Permalink
I'm attempting to setup PEAPv0/EAP-TLS which uses EAP-TLS as the inner
authentication method within PEAP. Unlike EAP-TLS, PEAPv0/EAP-TLS sends the
client certificate within the secure SSL tunnel, thus protecting the user's
identity. While RFC-5216 suggests that EAP-TLS can optionally support a
privacy mode in which the client certificate is pushed through the SSL
tunnel, I've not found any way to enable this option. I have no particual
interest in using PEAPv0/EAP-TLS other than the fact that I know it does
what I want to accomplish. I would be perfectly happy to use EAP-TLS in
Privacy mode, or PEAPv0/MSCHAPv2 with a required client certificate.
However, both these modes pass the client certificate in the clear.

Here's what my testing has shown:

EAP-TLS: Works with both Windows XP Supplicant and Juniper Odyssey Access
Client 4.8
PEAPv0/EAP-MSCHAPv2- Works with both Windows XP Supplicant and Juniper
Odyssey Access Client 4.8
PEAPv0/EAP-MSCHAPv2 + Requierd Client Certificate- Works with Juniper
Odyssey Access Client 4.8 (XP Supplicant doesn't support MSCHAPv2 +
Certificate)
PEAPv0/EAP-TLS- Fails on both supplicants

I don't think my TLS settings are improper, as both EAP-TLS and
PEAPv0/MS-CHAPv2 + Client Certifciate work fine. The debug logs shows the
client certificate verified properly.

I've tried pretty much every combination of PEAP options, and after each
permutation I forced a reauthentication so that I could analyze the packets
in Wireshark. No combination of settings forced the client certificate
through the SSL tunnel. I thought " use_tunneled_reply = yes" might
help, but it did not.

I have pasted the relevant configuration settings below as well as a full
log of the failure when I attempt to use PEAPv0/EAP-TLS.
The relevant settings: Other than "default_eap_type = "tls" my settings are
identical for PEAPv0/EAP-MSCHAPv2 which works fine.

The failure log seems to suggest that "tls" is not a supported
authentication mode within PEAP.

[files] users: Matched entry DEFAULT at line 200
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
*rlm_eap: No EAP session matching the State variable.*
*[eap] Either EAP-request timed out OR EAP-response to an unknown
EAP-request*
[eap] Failed in handler
++[eap] returns invalid
Failed to authenticate the user.
Login incorrect: [Jason Wittlin-Cohen] (from client Wireless port 0 via TLS
tunnel)
} # server inner-tunnel
[peap] Got tunneled reply code 3
[peap] Got tunneled reply RADIUS code 3
[peap] Tunneled authentication was rejected.
[peap] FAILURE

*PEAPv0/EAP-TLS Failure Log: *http://pastebin.com/m900e269
*PEAPv0/MSCHAPv2 Success Log:* http://pastebin.com/m16114697
*PEAPv.0/MSCHAPv2+Cert Success Log: *http://pastebin.com/m429d9c12
*EAP-TLS Success Log:* http://pastebin.com/m2b1c62f4

Relevant Settings:

eap {

default_eap_type = "peap"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 2048
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 3072
verify_depth = 0
pem_file_type = yes
private_key_file = "/etc/freeradius/certs/server_key.pem"
certificate_file = "/etc/freeradius/certs/server_cert.pem"
CA_file = "/etc/freeradius/certs/cacert.pem"
dh_file = "/etc/freeradius/certs/dh3072.pem"
random_file = "/etc/freeradius/certs/random"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "HIGH"
make_cert_command = "/etc/freeradius/certs/bootstrap"
cache {
enable = no

peap {
default_eap_type = "tls"
copy_request_to_tunnel = no
use_tunneled_reply = yes
proxy_tunneled_request_as_eap = no
virtual_server = "inner-tunnel"
}

Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no

modules mschap:

Module: Instantiating mschap
mschap {
use_mppe = yes
require_encryption = yes
require_strong = yes
with_ntdomain_hack = no
}

Users:

"DEFAULT" Cleartext-Password := "**************************************",
EAP-TLS-Require-Client-Cert := Yes

Note: (*'s represent a 32 character randomly generated password)

Thanks in advance,

Jason
--
Jason Wittlin-Cohen
Yale Law School, Class of 2010
jason.wittlin-***@yale.edu
Jason Wittlin-Cohen
2008-12-09 00:10:53 UTC
Permalink
I forgot to mention that I'm running FreeRADIUS 2.1.0 on Ubuntu 8.10
(2.1.0+dfsg-0ubuntu2 to be exact). As the original binary didn't come with
SSL support, I recompiled it using the Ubuntu source package. The client
computer I have been testing run Windows XP SP3.

Jason
--
Jason Wittlin-Cohen
Yale Law School, Class of 2010
jason.wittlin-***@yale.edu
(908) 420-0861
t***@kalik.net
2008-12-09 10:12:59 UTC
Permalink
http://wiki.freeradius.org/EAP

You should be able to set ananymous as user name for outer tunnel EAP-TLS
negotiation on the supplicant and use EAP-TLS with identity hidden.

Ivan Kalik
Kalik Informatika ISP
Post by Jason Wittlin-Cohen
I'm attempting to setup PEAPv0/EAP-TLS which uses EAP-TLS as the inner
authentication method within PEAP. Unlike EAP-TLS, PEAPv0/EAP-TLS sends the
client certificate within the secure SSL tunnel, thus protecting the user's
identity. While RFC-5216 suggests that EAP-TLS can optionally support a
privacy mode in which the client certificate is pushed through the SSL
tunnel, I've not found any way to enable this option. I have no particual
interest in using PEAPv0/EAP-TLS other than the fact that I know it does
what I want to accomplish. I would be perfectly happy to use EAP-TLS in
Privacy mode, or PEAPv0/MSCHAPv2 with a required client certificate.
However, both these modes pass the client certificate in the clear.
EAP-TLS: Works with both Windows XP Supplicant and Juniper Odyssey Access
Client 4.8
PEAPv0/EAP-MSCHAPv2- Works with both Windows XP Supplicant and Juniper
Odyssey Access Client 4.8
PEAPv0/EAP-MSCHAPv2 + Requierd Client Certificate- Works with Juniper
Odyssey Access Client 4.8 (XP Supplicant doesn't support MSCHAPv2 +
Certificate)
PEAPv0/EAP-TLS- Fails on both supplicants
I don't think my TLS settings are improper, as both EAP-TLS and
PEAPv0/MS-CHAPv2 + Client Certifciate work fine. The debug logs shows the
client certificate verified properly.
I've tried pretty much every combination of PEAP options, and after each
permutation I forced a reauthentication so that I could analyze the packets
in Wireshark. No combination of settings forced the client certificate
through the SSL tunnel. I thought " use_tunneled_reply = yes" might
help, but it did not.
I have pasted the relevant configuration settings below as well as a full
log of the failure when I attempt to use PEAPv0/EAP-TLS.
The relevant settings: Other than "default_eap_type = "tls" my settings are
identical for PEAPv0/EAP-MSCHAPv2 which works fine.
The failure log seems to suggest that "tls" is not a supported
authentication mode within PEAP.
[files] users: Matched entry DEFAULT at line 200
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
*rlm_eap: No EAP session matching the State variable.*
*[eap] Either EAP-request timed out OR EAP-response to an unknown
EAP-request*
[eap] Failed in handler
++[eap] returns invalid
Failed to authenticate the user.
Login incorrect: [Jason Wittlin-Cohen] (from client Wireless port 0 via TLS
tunnel)
} # server inner-tunnel
[peap] Got tunneled reply code 3
[peap] Got tunneled reply RADIUS code 3
[peap] Tunneled authentication was rejected.
[peap] FAILURE
*PEAPv0/EAP-TLS Failure Log: *http://pastebin.com/m900e269
*PEAPv0/MSCHAPv2 Success Log:* http://pastebin.com/m16114697
*PEAPv.0/MSCHAPv2+Cert Success Log: *http://pastebin.com/m429d9c12
*EAP-TLS Success Log:* http://pastebin.com/m2b1c62f4
eap {
default_eap_type = "peap"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 2048
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 3072
verify_depth = 0
pem_file_type = yes
private_key_file = "/etc/freeradius/certs/server_key.pem"
certificate_file = "/etc/freeradius/certs/server_cert.pem"
CA_file = "/etc/freeradius/certs/cacert.pem"
dh_file = "/etc/freeradius/certs/dh3072.pem"
random_file = "/etc/freeradius/certs/random"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "HIGH"
make_cert_command = "/etc/freeradius/certs/bootstrap"
cache {
enable = no
peap {
default_eap_type = "tls"
copy_request_to_tunnel = no
use_tunneled_reply = yes
proxy_tunneled_request_as_eap = no
virtual_server = "inner-tunnel"
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
Module: Instantiating mschap
mschap {
use_mppe = yes
require_encryption = yes
require_strong = yes
with_ntdomain_hack = no
}
"DEFAULT" Cleartext-Password := "**************************************",
EAP-TLS-Require-Client-Cert := Yes
Note: (*'s represent a 32 character randomly generated password)
Thanks in advance,
Jason
--
Jason Wittlin-Cohen
Yale Law School, Class of 2010
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Jason Wittlin-Cohen
2008-12-09 10:25:32 UTC
Permalink
Ivan,b

I already do that with the Juniper Access Client. The problem is that the
client certificate has the user's name as the Common Name and that is sent
in the clear. PEAP/EAP-TLS sends the user's certificate through the tunnel
obviating the issue. I admit this isn't a large problem but it would be a
nice feature to have.

Jason
Post by t***@kalik.net
http://wiki.freeradius.org/EAP
You should be able to set ananymous as user name for outer tunnel EAP-TLS
negotiation on the supplicant and use EAP-TLS with identity hidden.
Ivan Kalik
Kalik Informatika ISP
Post by Jason Wittlin-Cohen
I'm attempting to setup PEAPv0/EAP-TLS which uses EAP-TLS as the inner
authentication method within PEAP. Unlike EAP-TLS, PEAPv0/EAP-TLS sends
the
Post by Jason Wittlin-Cohen
client certificate within the secure SSL tunnel, thus protecting the
user's
Post by Jason Wittlin-Cohen
identity. While RFC-5216 suggests that EAP-TLS can optionally support a
privacy mode in which the client certificate is pushed through the SSL
tunnel, I've not found any way to enable this option. I have no particual
interest in using PEAPv0/EAP-TLS other than the fact that I know it does
what I want to accomplish. I would be perfectly happy to use EAP-TLS in
Privacy mode, or PEAPv0/MSCHAPv2 with a required client certificate.
However, both these modes pass the client certificate in the clear.
EAP-TLS: Works with both Windows XP Supplicant and Juniper Odyssey Access
Client 4.8
PEAPv0/EAP-MSCHAPv2- Works with both Windows XP Supplicant and Juniper
Odyssey Access Client 4.8
PEAPv0/EAP-MSCHAPv2 + Requierd Client Certificate- Works with Juniper
Odyssey Access Client 4.8 (XP Supplicant doesn't support MSCHAPv2 +
Certificate)
PEAPv0/EAP-TLS- Fails on both supplicants
I don't think my TLS settings are improper, as both EAP-TLS and
PEAPv0/MS-CHAPv2 + Client Certifciate work fine. The debug logs shows the
client certificate verified properly.
I've tried pretty much every combination of PEAP options, and after each
permutation I forced a reauthentication so that I could analyze the
packets
Post by Jason Wittlin-Cohen
in Wireshark. No combination of settings forced the client certificate
through the SSL tunnel. I thought " use_tunneled_reply = yes" might
help, but it did not.
I have pasted the relevant configuration settings below as well as a full
log of the failure when I attempt to use PEAPv0/EAP-TLS.
The relevant settings: Other than "default_eap_type = "tls" my settings
are
Post by Jason Wittlin-Cohen
identical for PEAPv0/EAP-MSCHAPv2 which works fine.
The failure log seems to suggest that "tls" is not a supported
authentication mode within PEAP.
[files] users: Matched entry DEFAULT at line 200
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
*rlm_eap: No EAP session matching the State variable.*
*[eap] Either EAP-request timed out OR EAP-response to an unknown
EAP-request*
[eap] Failed in handler
++[eap] returns invalid
Failed to authenticate the user.
Login incorrect: [Jason Wittlin-Cohen] (from client Wireless port 0 via
TLS
Post by Jason Wittlin-Cohen
tunnel)
} # server inner-tunnel
[peap] Got tunneled reply code 3
[peap] Got tunneled reply RADIUS code 3
[peap] Tunneled authentication was rejected.
[peap] FAILURE
*PEAPv0/EAP-TLS Failure Log: *http://pastebin.com/m900e269
*PEAPv0/MSCHAPv2 Success Log:* http://pastebin.com/m16114697
*PEAPv.0/MSCHAPv2+Cert Success Log: *http://pastebin.com/m429d9c12
*EAP-TLS Success Log:* http://pastebin.com/m2b1c62f4
eap {
default_eap_type = "peap"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 2048
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 3072
verify_depth = 0
pem_file_type = yes
private_key_file = "/etc/freeradius/certs/server_key.pem"
certificate_file = "/etc/freeradius/certs/server_cert.pem"
CA_file = "/etc/freeradius/certs/cacert.pem"
dh_file = "/etc/freeradius/certs/dh3072.pem"
random_file = "/etc/freeradius/certs/random"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "HIGH"
make_cert_command = "/etc/freeradius/certs/bootstrap"
cache {
enable = no
peap {
default_eap_type = "tls"
copy_request_to_tunnel = no
use_tunneled_reply = yes
proxy_tunneled_request_as_eap = no
virtual_server = "inner-tunnel"
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
Module: Instantiating mschap
mschap {
use_mppe = yes
require_encryption = yes
require_strong = yes
with_ntdomain_hack = no
}
"DEFAULT" Cleartext-Password := "**************************************",
EAP-TLS-Require-Client-Cert := Yes
Note: (*'s represent a 32 character randomly generated password)
Thanks in advance,
Jason
--
Jason Wittlin-Cohen
Yale Law School, Class of 2010
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
Jason Wittlin-Cohen
Yale Law School, Class of 2010
jason.wittlin-***@yale.edu
Alan DeKok
2008-12-09 10:35:48 UTC
Permalink
Post by Jason Wittlin-Cohen
I already do that with the Juniper Access Client. The problem is that
the client certificate has the user's name as the Common Name and that
is sent in the clear. PEAP/EAP-TLS sends the user's certificate through
the tunnel obviating the issue. I admit this isn't a large problem but
it would be a nice feature to have.
FreeRADIUS doesn't support RFC 5216, it's too new.

It has been tested with PEAPv0/EAP-TLS in the past, but it's not a
common configuration. So it might not work now.

Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Jason Wittlin-Cohen
2008-12-09 11:52:53 UTC
Permalink
Post by Alan DeKok
Post by Jason Wittlin-Cohen
I already do that with the Juniper Access Client. The problem is that
the client certificate has the user's name as the Common Name and that
is sent in the clear. PEAP/EAP-TLS sends the user's certificate through
the tunnel obviating the issue. I admit this isn't a large problem but
it would be a nice feature to have.
FreeRADIUS doesn't support RFC 5216, it's too new.
It has been tested with PEAPv0/EAP-TLS in the past, but it's not a
common configuration. So it might not work now.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
Thanks for the quick response. I'll see if it works in 2.1.3 when I upgrade.

Jason
Jason Wittlin-Cohen
2008-12-10 22:33:39 UTC
Permalink
Post by Alan DeKok
Post by Jason Wittlin-Cohen
I already do that with the Juniper Access Client. The problem is that
the client certificate has the user's name as the Common Name and that
is sent in the clear. PEAP/EAP-TLS sends the user's certificate through
the tunnel obviating the issue. I admit this isn't a large problem but
it would be a nice feature to have.
FreeRADIUS doesn't support RFC 5216, it's too new.
It has been tested with PEAPv0/EAP-TLS in the past, but it's not a
common configuration. So it might not work now.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
Alan,

I installed FreeRADIUS 2.1.3 on my Ubuntu 8.10 server and encountered the
same failure with PEAPv0/EAP-TLS. I think I've discovered the problem.
FreeRADIUS expects the client certificate to be sent before the SSL tunnel
is established. When the client sends a response without a certificate, it
complains that the client did not return a certificate and rejects the user.
I've tested with the Juniper Access Client, Intel ProSet client, and XP's
own supplicant and got the same result each time, so I don't think this is a
client-side problem.

Log:

[peap] <<< TLS 1.0 Handshake [length 0007], Certificate
[peap] >>> TLS 1.0 Alert [length 0002], fatal handshake_failure
TLS Alert write:fatal:handshake failure
TLS_accept:error in SSLv3 read client certificate B
rlm_eap: SSL error error:140890C7:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
SSL: SSL_read failed in a system call (-1), TLS session fails.
TLS receive handshake failed during operation
[peap] eaptls_process returned 4
[peap] EAPTLS_OTHERS
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Login incorrect: [Jason Wittlin-Cohen] (from client Wireless port 55 cli
0013e87d571d)


What's interesting is that if I send a certificate outside the tunnel
(Juniper allows you to send a certificate in addition to any authentication
method - which would in this case, lead to the certificate being sent once
outside the tunnel and again inside), authentication still fails, this time
with the "No EAP session matching the State variable" error.

rlm_eap: No EAP session matching the State variable.
[eap] Either EAP-request timed out OR EAP-response to an unknown EAP-request
[eap] Failed in handler
++[eap] returns invalid
Failed to authenticate the user.
Login incorrect: [Jason Wittlin-Cohen] (from client Wireless port 0 via TLS
tunnel)

eap.conf:

Module: Linked to module rlm_eap
Module: Instantiating eap
eap {
default_eap_type = "peap"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 2048
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
CA_path = "/etc/freeradius/certs/"
pem_file_type = yes
private_key_file = "/etc/freeradius/certs/server.key"
certificate_file = "/etc/freeradius/certs/server.crt"
CA_file = "/etc/freeradius/certs/ca.crt"
dh_file = "/etc/freeradius/certs/dh3072.pem"
random_file = "/dev/urandom"
fragment_size = 1024
include_length = yes
check_crl = yes
cipher_list = "HIGH"
check_cert_issuer = "/C=US/O=FreeRadius CA/CN=FreeRadius
CA/emailAddress=***@gmail.com"
cache {
enable = no
lifetime = 24
max_entries = 255
}
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "tls"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = no
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
}

Jason Wittlin-Cohen

Loading...