How do I force freeradius to check certificates validity?

Question

I am trying to install a freeradius server on my debian 9 machine. I succeeded to install it with apt. I also succeeded to run it and accept user and password and reject the connection if you don't present a good user and password.

But I need to implement certificat validation. I followed the official documentation https://wiki.freeradius.org/guide/WPA%20HOWTO

cd /etc/freeradius/3.0/certs/
make

It generated some certificates and I have changed /etc/freeradius/3.0/mods-enabled/eap

tls-config tls-common {
            private_key_password = whatever
            private_key_file = /etc/freeradius/3.0/certs/server.key

            #  If Private key & Certificate are located in
            #  the same file, then private_key_file &
            #  certificate_file must contain the same file
            #  name.
            #

#  If ca_file (below) is not used, then the
            #  certificate_file below MUST include not
            #  only the server certificate, but ALSO all
            #  of the CA certificates used to sign the
            #  server certificate.
            certificate_file = /etc/freeradius/3.0/certs/server.pem

            #  Trusted Root CA list
            #
            #  ALL of the CA's in this list will be trusted
            #  to issue client certificates for authentication.
            #
            #  In general, you should use self-signed
            #  certificates for 802.1x (EAP) authentication.
            #  In that case, this CA file should contain
            #  *one* CA certificate.
            #
            ca_file = /etc/freeradius/3.0/certs/ca.pem

Then I have configured user file and client.conf as mentioned on the official documentation. I have installed ca.pem in the client as showed in the picture.

config Exemple

Now:

• if the client present a false certificate the connection is rejected
• If the client client present a good certificate the connection is accepted
• But if the client don't present a certificate the connection is also accepted

And I would like to configure freeradius to reject connection when the client doesn't present a valid certificate

I have also tried to uncomment, in mods-enabled/eap

#       require_client_cert = yes

But then freeradius doesn't accept connections anymore.

Here is the log I have when I try with this parameter

(5) eap_ttls: Authenticate
(5) eap_ttls: Continuing EAP-TLS
(5) eap_ttls: [eaptls verify] = ok
(5) eap_ttls: Done initial handshake
(5) eap_ttls: TLS_accept: SSLv3/TLS write server done
(5) eap_ttls: <<< recv TLS 1.2  [length 0007] 
(5) eap_ttls: >>> send TLS 1.2  [length 0002] 
(5) eap_ttls: ERROR: TLS Alert write:fatal:handshake failure
tls: TLS_accept: Error in error
(5) eap_ttls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C0C7:SSL                 routines:tls_process_client_certificate:peer did not return a certificate
(5) eap_ttls: ERROR: System call (I/O) error (-1)
(5) eap_ttls: ERROR: TLS receive handshake failed during operation
(5) eap_ttls: ERROR: [eaptls process] = fail
(5) eap: ERROR: Failed continuing EAP TTLS (21) session.  EAP sub-module failed
(5) eap: Sending EAP Failure (code 4) ID 5 length 4
(5) eap: Failed in EAP select
(5)     [eap] = invalid
(5)   } # authenticate = invalid
(5) Failed to authenticate the user

So my question is: how do I force freeradius to check if the certificat is present and is the good one ?

I have tried for several days. So if anyone has already installed a freeradius server and is willing to help me It would be great.

Thanks

Answer 1

Yes I found a wait

I have to enable eap-tls

Then you have to give a Ca certificate and user certificate

The Ca certificate is here only to secure the connection not for identification. The fact is the client may no have CA certificate and it will still work.

This is when the user certificate comes to help. You can use it to identify the user.

In the file

mods-enabled/eap

you can implement a custom verification. So you can implement your own script. And you can use

%{TLS-Client-Cert-Filename}

variable to get the user certificate.

So then you give it to your script and do verification on your own. You can use:

openssl verify 

To do that or anything else. My script is:

/etc/freeradius/3.0/scripts/log.sh

It exit 0 on success and exit 1 on failure. And thus allow or deny access to user.

Here is my mods-enabled/eap configuration file for those who may need

verify {
                    #  If the OCSP checks succeed, the verify section
                    #  is run to allow additional checks.
                    #
                    #  If you want to skip verify on OCSP success,
                    #  uncomment this configuration item, and set it
                    #  to "yes".
                    #skip_if_ocsp_ok = no

                    #  A temporary directory where the client
                    #  certificates are stored.  This directory
                    #  MUST be owned by the UID of the server,
                    #  and MUST not be accessible by any other
                    #  users.  When the server starts, it will do
                    #  "chmod go-rwx" on the directory, for
                    #  security reasons.  The directory MUST
                    #  exist when the server starts.
                    #
                    #  You should also delete all of the files
                    #  in the directory when the server starts.
                    tmpdir = /tmp/radiusd

                    #  The command used to verify the client cert.
                    #  We recommend using the OpenSSL command-line
                    #  tool.
                    #
                    #  The ${..ca_path} text is a reference to
                    #  the ca_path variable defined above.
                    #
                    #  The %{TLS-Client-Cert-Filename} is the name
                    #  of the temporary file containing the cert
                    #  in PEM format.  This file is automatically
                    #  deleted by the server when the command
                    #  returns.
                    client = "/bin/bash /etc/freeradius/3.0/scripts/log.sh %{TLS-Client-Cert-Filename} %{Client-IP-Address}"
            }

The client part is the important one.