Freeradius, SQL, Certs and Newbie

classic Classic list List threaded Threaded
3 messages Options
| Threaded
Open this post in threaded view
|

Freeradius, SQL, Certs and Newbie

Daniel Zirkin
Good evening all.  Perhaps I'm going overboard... I have two WAP's covering 3.5 acres.  I'd rather not have neighbors/neer-do-wells accessing our network.  I've setup a separate network for outside secured with Freeradius.

I have Freeradius 3.0.19 up and running on Fedora 30.  I am using Mariadb for account information.  All is well.

I've come to realize that plaintext authentication even with WPA3/2ent isn't all that secure.  Also, I'm trying to get a few IOT devices to connect.  Phones and laptops all work well.

I though perhaps adding client certs into the mix would tighten things up.

I've created them and I think configured things correctly.

eapol_test -a127.0.0.1 -p1812 -s ******* -c /root/Documents/eapol_test-eaptls.conf

gives me;

MPPE keys OK: 1  mismatch: 0
SUCCESS

So now I can connect with certs or with a plaintext user/pass from sql.  I can't seem to get it to require a cert then check the database for account info.

What am I missing?

Thanks

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Freeradius, SQL, Certs and Newbie

Alan DeKok-2
On Oct 1, 2019, at 10:21 PM, Daniel Zirkin <[hidden email]> wrote:
>
> Good evening all.  Perhaps I'm going overboard... I have two WAP's covering 3.5 acres.  I'd rather not have neighbors/neer-do-wells accessing our network.  I've setup a separate network for outside secured with Freeradius.
>
> I have Freeradius 3.0.19 up and running on Fedora 30.  I am using Mariadb for account information.  All is well.

  That's good.

> I've come to realize that plaintext authentication even with WPA3/2ent isn't all that secure.  Also, I'm trying to get a few IOT devices to connect.  Phones and laptops all work well.
>
> I though perhaps adding client certs into the mix would tighten things up.

  That should be fine.

> I've created them and I think configured things correctly.
>
> eapol_test -a127.0.0.1 -p1812 -s ******* -c /root/Documents/eapol_test-eaptls.conf
>
> gives me;
>
> MPPE keys OK: 1  mismatch: 0
> SUCCESS
>
> So now I can connect with certs or with a plaintext user/pass from sql.  I can't seem to get it to require a cert then check the database for account info.

  What did you tell it to do?

> What am I missing?

  We have no idea what you did, so we can't give much in the way of advice.

  Normally if you configure EAP-TLS with client certs, then anyone with a valid client cert is allowed access.  What "account info" are you looking for in the DB?  Passwords?  If so, EAP-TLS doesn't use passwords.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Freeradius, SQL, Certs and Newbie

Daniel Zirkin

>Normally if you configure EAP-TLS with client certs, then anyone with a
>valid client cert is allowed access.  What "account info" are you
>looking for in the DB?  Passwords?  If so, EAP-TLS doesn't use
>passwords.

Thanks. For some reason I figured the certs would be used to"handshake" then the username/password works be checked.  I didn't realize they were separate authentication routes.

Thanks for the clarification.

Daniel


>> Good evening all.  Perhaps I'm going overboard... I have two WAP's
>covering 3.5 acres.  I'd rather not have neighbors/neer-do-wells
>accessing our network.  I've setup a separate network for outside
>secured with Freeradius.
>>
>> I have Freeradius 3.0.19 up and running on Fedora 30.  I am using
>Mariadb for account information.  All is well.
>
>  That's good.
>
>> I've come to realize that plaintext authentication even with
>WPA3/2ent isn't all that secure.  Also, I'm trying to get a few IOT
>devices to connect.  Phones and laptops all work well.
>>
>> I though perhaps adding client certs into the mix would tighten
>things up.
>
>  That should be fine.
>
>> I've created them and I think configured things correctly.
>>
>> eapol_test -a127.0.0.1 -p1812 -s ******* -c
>/root/Documents/eapol_test-eaptls.conf
>>
>> gives me;
>>
>> MPPE keys OK: 1  mismatch: 0
>> SUCCESS
>>
>> So now I can connect with certs or with a plaintext user/pass from
>sql.  I can't seem to get it to require a cert then check the database
>for account info.
>
>  What did you tell it to do?
>
>> What am I missing?
>
>We have no idea what you did, so we can't give much in the way of
>advice.
>
>Normally if you configure EAP-TLS with client certs, then anyone with a
>valid client cert is allowed access.  What "account info" are you
>looking for in the DB?  Passwords?  If so, EAP-TLS doesn't use
>passwords.
>
>  Alan DeKok.
>
>
>-
>List info/subscribe/unsubscribe? See
>http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html