PEAP-MSCHAPv2 replace snakeoil certificates

classic Classic list List threaded Threaded
5 messages Options
| Threaded
Open this post in threaded view
|

PEAP-MSCHAPv2 replace snakeoil certificates

omahieu
Hello,

I'm configuring a FreeRadius Ubuntu server to replace Windows NPS server.
The Domain Controller is CA as well.

The server is part of the domain and MSCHAP is configured.

The "$ radtest -t mschap testuser testpassword 127.0.0.1 0 testing123" works as well.

Now, I want to replace the snakeoil certificate  by a generated server certificate, signed by Windows CA.

I generated freeradius.cer (Signed by Win CA), freeradius.key and placed them in dir's below. ALso the Win root CA, I added in /usr/local/share/ca-certificates.

[cid:6be2c43b-7b4f-4a79-8e69-5af486a693d9]

Following, when I change eap like below; even with absolute path instead of ${certdir}; I get freeradius failure.

[cid:a314427e-f5f0-4a90-8005-83d5d8032453]


Systemctl restart freeradius: failure.
radtest -t fails as well...

Can someone point me the right direction? Thanks!!!

Olivier


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

pastedImagebase640.png (17K) Download Attachment
pastedImagebase641.png (9K) Download Attachment
| Threaded
Open this post in threaded view
|

Re: PEAP-MSCHAPv2 replace snakeoil certificates

Matthew Newton-3
On Fri, 2020-01-10 at 19:12 +0000, Olivier Mahieu wrote:
>
> Following, when I change eap like below; even with absolute path
> instead of ${certdir}; I get freeradius failure.

Failure in what way?

http://wiki.freeradius.org/list-help

--
Matthew


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

RE: PEAP-MSCHAPv2 replace snakeoil certificates

omahieu
Debugfile1: MSchap succeeds
Debugfile2: changed snakeoil key and pem file: failure.

Thanks

Verzonden vanuit Mail<https://go.microsoft.com/fwlink/?LinkId=550986> voor Windows 10

Van: Matthew Newton<mailto:[hidden email]>
Verzonden: vrijdag 10 januari 2020 20:15
Aan: FreeRadius users mailing list<mailto:[hidden email]>
Onderwerp: Re: PEAP-MSCHAPv2 replace snakeoil certificates

On Fri, 2020-01-10 at 19:12 +0000, Olivier Mahieu wrote:
>
> Following, when I change eap like below; even with absolute path
> instead of ${certdir}; I get freeradius failure.

Failure in what way?

https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwiki.freeradius.org%2Flist-help&amp;data=02%7C01%7C%7C659e7a8c68a842bfbac508d79601772c%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637142805342279918&amp;sdata=geDz%2FQCeUBo3N2ATQbJKO0LMy%2BnzAu%2FBj5Dqe1E4nmg%3D&amp;reserved=0

--
Matthew


-
List info/subscribe/unsubscribe? See https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freeradius.org%2Flist%2Fusers.html&amp;data=02%7C01%7C%7C659e7a8c68a842bfbac508d79601772c%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637142805342279918&amp;sdata=JDtSQcsISC0ET%2FI7O%2FFoL6YYAIM3RrBA5ioYkD313kI%3D&amp;reserved=0


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

debugfile2 (29K) Download Attachment
debugfile1 (34K) Download Attachment
| Threaded
Open this post in threaded view
|

Re: PEAP-MSCHAPv2 replace snakeoil certificates

Alan DeKok-2


> On Jan 11, 2020, at 8:52 AM, Olivier Mahieu <[hidden email]> wrote:
>
> Debugfile1: MSchap succeeds
> Debugfile2: changed snakeoil key and pem file: failure.

  You didn't bother reading the debug output:

tls: Failed reading private key file "/etc/ssl/private/freeradius.key"
tls: error:0200100D:system library:fopen:Permission denied

  This message should be simple to understand.

  Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

RE: PEAP-MSCHAPv2 replace snakeoil certificates

omahieu
Yes, just found the issue. Had to chgrp of private key.

Thanks!

Verzonden vanuit Mail<https://go.microsoft.com/fwlink/?LinkId=550986> voor Windows 10

Van: Alan DeKok<mailto:[hidden email]>
Verzonden: zaterdag 11 januari 2020 16:54
Aan: FreeRadius users mailing list<mailto:[hidden email]>
Onderwerp: Re: PEAP-MSCHAPv2 replace snakeoil certificates



> On Jan 11, 2020, at 8:52 AM, Olivier Mahieu <[hidden email]> wrote:
>
> Debugfile1: MSchap succeeds
> Debugfile2: changed snakeoil key and pem file: failure.

  You didn't bother reading the debug output:

tls: Failed reading private key file "/etc/ssl/private/freeradius.key"
tls: error:0200100D:system library:fopen:Permission denied

  This message should be simple to understand.

  Alan DeKok.

-
List info/subscribe/unsubscribe? See https://nam11.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freeradius.org%2Flist%2Fusers.html&amp;data=02%7C01%7C%7Cb06ae362ffc1490370e808d796ae7a4e%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637143548422525106&amp;sdata=pAAXq6XqHudcbRD28BYbToNrN7G3TrJvT%2Bo5UE3n8p8%3D&amp;reserved=0

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html