I am trying to install a freeradius server on my debian 9 machine. I succeeded to install it with apt. I also succeeded to run it and accept user and password and reject the connection if you don't present a good user and password.
But I need to implement certificat validation. I followed the official documentation https://wiki.freeradius.org/guide/WPA%20HOWTO
cd /etc/freeradius/3.0/certs/
make
It generated some certificates and I have changed /etc/freeradius/3.0/mods-enabled/eap
tls-config tls-common {
private_key_password = whatever
private_key_file = /etc/freeradius/3.0/certs/server.key
# If Private key & Certificate are located in
# the same file, then private_key_file &
# certificate_file must contain the same file
# name.
#
# If ca_file (below) is not used, then the
# certificate_file below MUST include not
# only the server certificate, but ALSO all
# of the CA certificates used to sign the
# server certificate.
certificate_file = /etc/freeradius/3.0/certs/server.pem
# Trusted Root CA list
#
# ALL of the CA's in this list will be trusted
# to issue client certificates for authentication.
#
# In general, you should use self-signed
# certificates for 802.1x (EAP) authentication.
# In that case, this CA file should contain
# *one* CA certificate.
#
ca_file = /etc/freeradius/3.0/certs/ca.pem
Then I have configured user file and client.conf as mentioned on the official documentation. I have installed ca.pem in the client as showed in the picture.
Now:
- if the client present a false certificate the connection is rejected
- If the client client present a good certificate the connection is accepted
- But if the client don't present a certificate the connection is also accepted
And I would like to configure freeradius to reject connection when the client doesn't present a valid certificate
I have also tried to uncomment, in mods-enabled/eap
# require_client_cert = yes
But then freeradius doesn't accept connections anymore.
Here is the log I have when I try with this parameter
(5) eap_ttls: Authenticate
(5) eap_ttls: Continuing EAP-TLS
(5) eap_ttls: [eaptls verify] = ok
(5) eap_ttls: Done initial handshake
(5) eap_ttls: TLS_accept: SSLv3/TLS write server done
(5) eap_ttls: <<< recv TLS 1.2 [length 0007]
(5) eap_ttls: >>> send TLS 1.2 [length 0002]
(5) eap_ttls: ERROR: TLS Alert write:fatal:handshake failure
tls: TLS_accept: Error in error
(5) eap_ttls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C0C7:SSL routines:tls_process_client_certificate:peer did not return a certificate
(5) eap_ttls: ERROR: System call (I/O) error (-1)
(5) eap_ttls: ERROR: TLS receive handshake failed during operation
(5) eap_ttls: ERROR: [eaptls process] = fail
(5) eap: ERROR: Failed continuing EAP TTLS (21) session. EAP sub-module failed
(5) eap: Sending EAP Failure (code 4) ID 5 length 4
(5) eap: Failed in EAP select
(5) [eap] = invalid
(5) } # authenticate = invalid
(5) Failed to authenticate the user
So my question is: how do I force freeradius to check if the certificat is present and is the good one ?
I have tried for several days. So if anyone has already installed a freeradius server and is willing to help me It would be great.
Thanks