Matt's Musings

September 22, 2006

Requiring client certificates for EAP-TTLS with FreeRadius

Filed under: Linux — matt @ 3:07 pm NZST

For the project that I’m dealing with at work I wanted to be able to authenticate devices in a two stage process. Stage 1 should authenticate the device to the network (via an x509 certificate) and then Stage 2 should authenticate the user who possesses the device with a username and password.

Unfortunately none of the methods shipped by default with FreeRadius will support this sort of configuration.

  • EAP-TLS supports mutual certificate authentication between the server and the client but does not allow for a second stage to verify the username and password
  • EAP-TTLS and EAP-PEAP both support mutual certificate authentication between the server and the client followed by a second stage password verification, however the current FreeRadius implementation doesn’t let you require a client certificate. If one is present it will use it, but it is just as happy to continue on without one, which is not ideal for my circumstances.
  • The remaining EAP- methods don’t support certificates at all, so they’re not even an option.

A quick skim through the FreeRadius source code revealed that it wouldn’t be too hard to add support for requiring client certificates with EAP-TTLS and EAP-PEAP. The following patch adds a new configuration option to the tls section of eap.conf which if set to true will require the client to present a certificate before authentication will succeed.

Example eap.conf

eap {
                default_eap_type = ttls
                timer_expire     = 60
                ignore_unknown_eap_types = no
                cisco_accounting_username_bug = no

                md5 {
                }
                tls {
                        private_key_file = ${raddbdir}/certs/radius.key
                        certificate_file = ${raddbdir}/certs/radius.pem
                        CA_file = ${raddbdir}/certs/cacert.pem
                        dh_file = ${raddbdir}/certs/dh
                        random_file = ${raddbdir}/certs/random

                        # This is the new option
                        # If set to no, or missing, client certificates are
                        # not required for EAP-TTLS or EAP-PEAP
                        require_client_cert = yes
                 }
                 ttls {
                        default_eap_type = md5
                }
        }

2 Comments

  1. Hey Matt,

    You should submit this patch to Freeradius’s bug tracking system here : http://bugs.freeradius.org/

    It would make it easier for developers and other users to find about your patch and this feature.

    Comment by Florian — September 23, 2006 @ 5:51 am

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.

Powered by WordPress