Certificats TLS

• http://lists.freeradius.org/pipermail/freeradius-users/2007-April/017460.html
• http://lists.freeradius.org/pipermail/freeradius-users/2007-April/017461.html

• http://www.linuxjournal.com/article/8095

• http://javadoc.iaik.tugraz.at/iaik_jce/current/iaik/x509/extensions/ExtendedKeyUsage.html The following extended key usage purposes are defined by RFC 3280:

serverAuth (1.3.6.1.5.5.7.3.1) — TLS Web server authentication <= notre certificat

[ xpserver_ext ]
extendedKeyUsage = 1.3.6.1.5.5.7.3.1 <= ce que demande MS

• https://msdn.microsoft.com/en-us/library/cc731363.aspx

  • The Subject name contains a value. => ok
  • The computer certificate [is valid] => ok (j'ai même chain le sub et le CA dans le doute)
  • The computer certificate for the NPS server or VPN server is configured with the Server Authentication purpose in Extended Key Usage (EKU) extensions. (The object identifier for Server Authentication is 1.3.6.1.5.5.7.3.1) => ok
  • The server certificate is configured with a required algorithm value of RSA . => ok
  • The Subject Alternative Name (SubjectAltName) extension, if used, must contain the DNS name of the server. => ?? je comprend pas, le supplicant ne connait jamais le nom du serveur, comment il peut comparer ?

https://2.bp.blogspot.com/-jnB3G_rjFgk/UBiepn7rM0I/AAAAAAAADNs/gC2Ju8CyPsM/s1600/PEAP+Ladder+Diagram.png

! https://serverfault.com/questions/318851/third-party-wildcard-certificates-for-use-with-microsoft-nps-radius-peap

http://wiki.cacert.org/FAQ/subjectAltName :
According to the standards commonName will be ignored if you supply a subjectAltName in the certificates, verified to be working in both the latest version of MS IE and Firefox (as of 2005/05/12)...

https://code.google.com/p/android/issues/detail?id=37178 :
In general, this value is set to the DNS name of the RADIUS server presenting the certificate to the end device supplicant. Matching is usually done with a static, or wildcard version of the address. (Such as radius.foo.com, or *.foo.com)

Having this setting available is critical for situations where commercial CA certificates are used with the authentication. When doing SSL/TLS over IP, a client can easily resolve the DNS name of the server and match that to the certificate to be sure that the device presenting the certificate has the same DNS name as the value set in the certificate. With 802.1X authentications the client doesn't have IP connectivity, so the only way to validate this is for the user to tell the supplicant what value is expected.

Eduroam:

• https://www.eduroam.us/node/89
• http://www.eduroam.fr/specif_tecnik.html
• http://confluence.diamond.ac.uk/display/PAAUTH/Configuring+an+eduroam+FreeRADIUS+3.0+server
• http://www.siris.sorbonne.fr/documents/Configuration_Wifi_Eduroam.pdf

http://wiki.freeradius.org/guide/Certificate-Compatibility :
Windows does not support wildcard certificates

Traces

Alexandre L., [20.10.15 20:18]
Tue Oct 20 20:16:41 2015 : Error: TLS Alert read:fatal:access denied
Tue Oct 20 20:16:41 2015 : Auth: Login incorrect (TLS Alert read:fatal:access denied): [hcognet/<via Auth-Type = EAP>] (from client borneswifi-brest port 0 cli 60-36-DD-87-AC-A3)

Hervé C., [20.10.15 20:21]
et là ?

Alexandre L., [20.10.15 20:22]
http://lists.freeradius.org/pipermail/freeradius-users/2007-April/017460.html / http://lists.freeradius.org/pipermail/freeradius-users/2007-April/017461.html / http://www.linuxjournal.com/article/8095

Alexandre L., [20.10.15 20:22]
Tue Oct 20 20:21:07 2015 : Error: TLS Alert read:fatal:access denied
Tue Oct 20 20:21:07 2015 : Auth: Login incorrect (TLS Alert read:fatal:access denied): [hcognet/<via Auth-Type = EAP>] (from client borneswifi-brest port 0 cli 60-36-DD-87-AC-A3)
T

Hervé C., [20.10.15 20:23]
du vient d'avoir un success je penses ! 😉

Alexandre L., [20.10.15 20:24]
Tue Oct 20 20:22:48 2015 : Auth: Login OK: [hcognet] (from client borneswifi-brest port 0 via TLS tunnel)
Tue Oct 20 20:22:48 2015 : Auth: Login OK: [hcognet] (from client borneswifi-brest port 0 cli 60-36-DD-87-AC-A3)

       Subject: C=FR, ST=Bretagne, L=Brest, O=\x00A\x00s\x00s\x00o\x00c\x00i\x00a\x00t\x00i\x00o\x00n\x00  \x1D\x00R\x00E\x00S\x00E\x00L \x1D, CN=*.resel.fr/emailAddress=webmaster@resel.fr
                 DNS:*.resel.fr, DNS:resel.fr, DNS:asso.resel.fr, DNS:club.resel.fr, DNS:clubs.resel.fr, DNS:campagne.resel.fr, DNS:resel.eu, DNS:resel.org, DNS:*.resel.org, DNS:*.resel.eu, DNS:*.asso.resel.fr, DNS:*.club.resel.fr, DNS:*.clubs.resel.fr, DNS:*.campagne.resel.fr, DNS:admin.resel.fr, DNS:*.admin.resel.fr, DNS:dev.resel.fr, DNS:*.dev.resel.fr, DNS:rennes.resel.fr, DNS:brest.resel.fr, DNS:nantes.resel.fr, DNS:*.rennes.resel.fr, DNS:*.brest.resel.fr, DNS:*.nantes.resel.fr, DNS:services.resel.fr, DNS:*.services.resel.fr

Alexandre L., [20.10.15 21:28]
—  Subject: ...  CN=*.resel.fr/emailAddress=webmaster@resel.fr
—  X509v3 Subject Alternative Name:
                DNS:*.resel.fr, DNS:resel.fr, DNS:asso.resel.fr, DNS:club.resel.fr, DNS:clubs.resel.fr, DNS:campagne.resel.fr, DNS:resel.eu, DNS:resel.org, DNS:*.resel.org, DNS:*.resel.eu, DNS:*.asso.resel.fr, DNS:*.club.resel.fr, DNS:*.clubs.resel.fr, DNS:*.campagne.resel.fr, DNS:admin.resel.fr, DNS:*.admin.resel.fr, DNS:dev.resel.fr, DNS:*.dev.resel.fr, DNS:rennes.resel.fr, DNS:brest.resel.fr, DNS:nantes.resel.fr, DNS:*.rennes.resel.fr, DNS:*.brest.resel.fr, DNS:*.nantes.resel.fr, DNS:services.resel.fr, DNS:*.services.resel.fr

Alexandre L., [20.10.15 21:30]
Subject: OU=Domain Control Validated, CN=radius.telecom-bretagne.eu
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication


Alexandre L., [20.10.15 20:18]
Tue Oct 20 20:16:41 2015 : Error: TLS Alert read:fatal:access denied
Tue Oct 20 20:16:41 2015 : Auth: Login incorrect (TLS Alert read:fatal:access denied): [hcognet/<via Auth-Type = EAP>] (from client borneswifi-brest port 0 cli 60-36-DD-87-AC-A3)

Alexandre L., [20.10.15 20:22]
Tue Oct 20 20:21:07 2015 : Error: TLS Alert read:fatal:access denied
Tue Oct 20 20:21:07 2015 : Auth: Login incorrect (TLS Alert read:fatal:access denied): [hcognet/<via Auth-Type = EAP>] (from client borneswifi-brest port 0 cli 60-36-DD-87-AC-A3)

Alexandre L., [20.10.15 20:24]
Tue Oct 20 20:22:48 2015 : Auth: Login OK: [hcognet] (from client borneswifi-brest port 0 via TLS tunnel)
Tue Oct 20 20:22:48 2015 : Auth: Login OK: [hcognet] (from client borneswifi-brest port 0 cli 60-36-DD-87-AC-A3)


"With 802.1X authentications the client doesn't 
have IP connectivity, so the only way to validate this is for the user to tell the supplicant what value is expected."

Ressources utiles

• http://freeradius.1045715.n5.nabble.com/CA-Chain-td2757548.html
• http://lists.freeradius.org/pipermail/freeradius-users/2009-February/035520.html
• https://security.stackexchange.com/questions/65134/certificate-validation-with-802-1x-peap
• http://www.kaplansoft.com/tekradius/docs/ssssl.pdf
• http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/PEAP-Public-Certificates-GoDaddy-VeriSign/td-p/23640
• https://technet.microsoft.com/en-us/library/cc751157.aspx
• https://msdn.microsoft.com/en-us/library/cc731363.aspx
• https://technet.microsoft.com/en-us/library/cc731363(v=ws.10).aspx
• https://supportforums.cisco.com/blog/154046#References
• https://technet.microsoft.com/en-us/library/cc779326%28v=ws.10%29.aspx
• https://2.bp.blogspot.com/-jnB3G_rjFgk/UBiepn7rM0I/AAAAAAAADNs/gC2Ju8CyPsM/s1600/PEAP+Ladder+Diagram.png
• https://serverfault.com/questions/589065/tls-from-radius-for-wifi-is-rejected-by-win7
• https://support.microsoft.com/en-us/kb/814394
• https://trac.resel.fr/wiki/wifi
• https://trac.resel.fr/wiki/Services/Radius
• https://superuser.com/questions/853528/how-can-i-download-the-certificate-of-a-wireless-ap-using-802-1x
• http://wiki.freeradius.org/guide/Windows-TLS-Methods
• http://freenac.net/en/book/export/html/328
• https://github.com/lnussel/sslcert/blob/master/openssl.cnf
• http://pig.made-it.com/opensslca.html
• https://technet.microsoft.com/en-us/library/cc754179(v=ws.10).aspx
• https://social.technet.microsoft.com/Forums/windowsserver/en-US/afe32fdc-6a2a-421e-a157-6ca1d6c25472/i-dont-see-my-certificate-with-peap?forum=winserverNAP
• https://documentation.meraki.com/MR/Encryption_and_Authentication/Configuring_RADIUS_Authentication_with_WPA2-Enterprise
• https://doc.pfsense.org/index.php/Using_EAP_and_PEAP_with_FreeRADIUS
• http://wiki.freeradius.org/config/Virtual-server
• http://wiki.freeradius.org/guide/Basic-configuration-HOWTO
• http://freeradius.org/radiusd/man/radiusd.html
• https://support.apple.com/en-us/HT202951
• https://community.aerohive.com/aerohive/topics/ios-android-peap-mschapv2-problem
• http://blogs.technet.com/b/pki/archive/2006/11/30/basic-crl-checking-with-certutil.aspx
• https://community.aerohive.com/aerohive/topics/ios-android-peap-mschapv2-problem
• http://javadoc.iaik.tugraz.at/iaik_jce/current/iaik/x509/extensions/ExtendedKeyUsage.html
• https://www.openssl.org/docs/manmaster/apps/x509v3_config.html
• https://forums.openvpn.net/topic7484.html
• https://security.stackexchange.com/questions/100768/difference-between-certificates-with-extension-fields-and-non-repudiation-us
• https://community.aerohive.com/aerohive/topics/problem_connecting_with_windows_8_1_with_radius

Articles liés

TODO

TODO (rédacteur)

• Il est nécessaire d'organiser toute cette information...