Discussion:
PEAP - Intermediate CA
CJ O
2009-05-11 23:15:15 UTC
Permalink
Good Afternoon -

I am having an issue where FreeRadius is not handing the intermediate CA to a windows WPA2 client. We are in the process of deploying WPA2/AES with PEAP. So we purchased a certificate from a company that has a Trusted Root CA in Windows, Mac OSX, and Linux. However, it was signed with there intermediate CA, so the OS will not vailded the certificate during authentication.

The only solution seems to be installing the intermediate CA certifcate on all my clients (2,000-3,000). If it possible to chain the certificates together like you can in Apache?

Thanks
CJ
Alan DeKok
2009-05-12 07:31:47 UTC
Permalink
Post by CJ O
I am having an issue where FreeRadius is not handing the intermediate CA
to a windows WPA2 client. We are in the process of deploying WPA2/AES
with PEAP. So we purchased a certificate from a company that has a
Trusted Root CA in Windows, Mac OSX, and Linux. However, it was signed
with there intermediate CA, so the OS will not vailded the certificate
during authentication.
So long as the CA chain is intact, this should work.
Post by CJ O
The only solution seems to be installing the intermediate CA certifcate
on all my clients (2,000-3,000). If it possible to chain the
certificates together like you can in Apache?
Yes. But you need to install the CA chain on the RADIUS server. See
eap.conf:

# If CA_file (below) is not used, then the
# certificate_file below MUST include not
# only the server certificate, but ALSO all
# of the CA certificates used to sign the
# server certificate.
certificate_file = ${certdir}/server.pem

Odds are you didn't include the intermediate certificates in the
RADIUS configuration.

Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Meyers, Dan
2009-05-12 08:42:06 UTC
Permalink
I was having this exact same problem for a significant period of time
when I bought a new Verisign cert for our servers which was chained (the
old one being directly root signed, which Verisign no longer do). It
would appear to be a bug/security patch in XP sometime after SP2 that
causes this. Odds are, assuming you have set it up right (I used this
exact same list with some setup issues I was having) that FreeRadius
*is* sending your Intermediate CA to the client, but the client is
ignoring it. Using Wireshark or similar to packet dump should show you
how may certs you are being passed.

I am reliably informed by networking staff at another University who had
the same issue that if you try with a vanilla install of SP2 with no
additional security patches or similar then it will work correctly. At
some point after SP2 (They were not sure exactly which patch causes it)
certificate chaining for PEAP stops working. Windows Vista follows the
chain fine, as do various non-Microsoft OSes I tried. I didn't have a
vanilla XP SP2 to test and wasn't sufficiently bothered to make one, as
we weren't going to advise our users to remove security patches.

The setup I have is, in eap.conf under the tls section, certificate_file
points to a file which actually contains both the server cert and the
intermediate cert. The server cert is at the top of the file, with the
intermediate cert below. Very simple to do this, just cat the contents
of the intermediate cert file to be appended to the server cert file
(make sure both are the same file type. I had an issue initially where
one was DOS and one was Unix, so I go a lot of metacharacter rubbish
when I cat-ed one into the other). Wireshark shows FreeRadius is passing
both certs, and anything that isn't XP SP2 works fine. For XP SP2 we had
to supply the intermediate cert on our website and ask our users to
install it from the wired network in the connect instructions for using
wireless (which is where we were using PEAP).

Dan
Post by CJ O
I am having an issue where FreeRadius is not handing the intermediate
CA to a windows WPA2 client. We are in the process of deploying
WPA2/AES with PEAP. So we purchased a certificate from a company that
has a Trusted Root CA in Windows, Mac OSX, and Linux. However, it was
signed with there intermediate CA, so the OS will not vailded the
certificate during authentication.
The only solution seems to be installing the intermediate CA
certifcate
Post by CJ O
on all my clients (2,000-3,000). If it possible to chain the
certificates together like you can in Apache?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Alan DeKok
2009-05-12 09:01:21 UTC
Permalink
Post by Meyers, Dan
I was having this exact same problem for a significant period of time
when I bought a new Verisign cert for our servers which was chained (the
old one being directly root signed, which Verisign no longer do). It
would appear to be a bug/security patch in XP sometime after SP2 that
causes this.
Ouch. That is evil.

I've updated raddb/certs/README with various rants about this.

Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Johan Meiring
2009-05-14 13:20:11 UTC
Permalink
Post by Alan DeKok
Post by Meyers, Dan
I was having this exact same problem for a significant period of time
when I bought a new Verisign cert for our servers which was chained (the
old one being directly root signed, which Verisign no longer do). It
would appear to be a bug/security patch in XP sometime after SP2 that
causes this.
Ouch. That is evil.
I've updated raddb/certs/README with various rants about this.
Alan DeKok.
Might be usefull to add that the certificates we use (bought from
www.geotrust.com via opensrs) are directly root signed.
(Our web server certificates anyway - I assume the certificates
freeradius uses are the same kind)

Unsure whether you feel comfortable "advertising" anyone, but people
might want to know where to get a "directly signed" certificate.
--
Johan Meiring
Cape PC Services CC
Tel: (021) 883-8271
Fax: (021) 886-7782

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Loading...