|
| 1 | += EAP Certificates |
| 2 | + |
| 3 | +EAP servers performing TLS-based authentication methods will have one or more |
| 4 | +certificates configured. There are two distinct purposes for these certificates: |
| 5 | + |
| 6 | + * Server certificates are presented to connecting devices for them to validate their trust of the server. |
| 7 | + * Trusted CA certificates are used to validate trust of certificates presented by end devices. |
| 8 | + |
| 9 | +FreeRADIUS uses OpenSSL to handle SSL operations. Some of its behavior depends on the version of the OpenSSL libraries it uses and how the global system configuration for OpenSSL is set up. |
| 10 | + |
| 11 | +When upgrading the operating system and OpenSSL libraries it's crucial to understand any version-specific differences relevant to the functionality of the RADIUS service. Some default behaviours that may change include: |
| 12 | + |
| 13 | + * The accepted list of protocols, ciphers and key sizes. |
| 14 | + * The method by which chains are built when validating certificates. |
| 15 | + * Required properties of certificates in a chain for an end entity certificate to be verified. |
| 16 | + * The TLS record format that is generated or accepted for on the wire transmission. |
| 17 | + |
| 18 | +== Server certificates |
| 19 | + |
| 20 | +Any RADIUS server performing xref:reference:raddb/mods-available/eap.adoc[TLS-based EAP] must have a server certificate and associated key. This certificate can be signed by a public CA which the end devices already trust, or it can be signed by a self-signed CA managed by the organization. If using a self-signed CA, configure the supplicant to trust the self-signed CA for EAP server authentication purposes. This is often done with a managed security policy. |
| 21 | + |
| 22 | +It’s also possible that a supplicant is instructed to trust an “anchor” certificate in a chain of certificates. The server certificate in this chain has been signed by an intermediate CA certificate, which may have been signed by another CA certificate, and so on, up to a self-signed root CA certificate. |
| 23 | + |
| 24 | +The trust anchor configured on the end device may not be the root CA, in which case this is referred to as validating a "partial chain" as shown below. |
| 25 | + |
| 26 | + Root CA |
| 27 | + | |
| 28 | + Intermediate CA A <- Supplicant instructed to trust this "anchor" |
| 29 | + | |
| 30 | + Intermediate CA B |
| 31 | + | |
| 32 | + Server Cert |
| 33 | + |
| 34 | +The simplest set up for the server certificate for FreeRADIUS is to put all certificates into the `certificate file`. Put the server certificate and any intermediate certificates needed to reach the certificate trusted by the end device. This file must start with the server certificate and work its way up the chain. |
| 35 | + |
| 36 | +While the certificate file can include the certificate trusted by the supplicant, this may cause larger packet exchanges between FreeRADIUS and the end device. Some supplicants may also fail to trust the server if this certificate is included. Therefore, it’s recommended to stop the certificate file at the certificate in the chain that’s immediately before the one configured as a trust anchor. |
| 37 | + |
| 38 | +In the example above, this means the server certificate file should contain: |
| 39 | + |
| 40 | + * Server Cert |
| 41 | + * Intermediate CA B |
| 42 | + |
| 43 | +=== Extended Key Use Extension |
| 44 | + |
| 45 | +In order to satisfy the requirements of certain supplicants, server |
| 46 | +certificates must contain the following Extended Key Use extension: |
| 47 | + |
| 48 | + * Server Authentication - OID 1.3.6.1.5.5.7.3.1 |
| 49 | + |
| 50 | +It's strongly recommended to include the following EKU extension in any client certificates generated for EAP-TLS. (or EAP-PEAP /EAP-TTLS methods in which the client certificate is to be validated): |
| 51 | + |
| 52 | + * Client Authentication - OID 1.3.6.1.5.5.7.3.2 |
| 53 | + |
| 54 | +In addition: |
| 55 | + |
| 56 | + * Some supplicants (notably Windows) refuse to accept wildcard certificates, so these should be avoided for maximum compatibility. |
| 57 | + * Some supplicants (notably ChromeOS) reject Extended Validation (EV) certificates. |
| 58 | + * Apple supplicants will not accept leaf certificates whose validity period is greater than 397 days. |
| 59 | + * Some supplicants (notable MacOS) require that the certificate include a critical BasicConstraint `CA:FALSE`. |
| 60 | + * Some supplicants store and check the certificate Subject CN. Others use the Subject Alternate Name. Therefore the same (case-sensitive) server name in the form of an FQDN (not necessarily matching the server's hostname) should be used as *both* the CN and as a SAN. |
| 61 | + |
| 62 | +When replacing certificates, ensure that the replacement certificates match any explict requirements that are configured on the supplicants of all end devices. |
| 63 | + |
| 64 | +For example, specific names (or domain suffixes) expected in the CN and/or |
| 65 | +Subject Alternative Names may be part of requirements that have been pinned in |
| 66 | +the network's 802.1X profile via an explicit managed security policy. |
| 67 | + |
| 68 | +Furthermore, the CN and/or SAN names from certificates presented during previous network connections may have been automatically saved. This action results in an implicit requirement for future certificates. Changing these “learned” properties cause an authentication failure or the user is prompted to manually accept any new certificate with previously unknown properties. |
| 69 | + |
| 70 | +When replacing a server certificate, make sure you have enough time to update the end devices’ policies. This way, the end devices trust the new server certificates before the old ones expire or are replaced. |
| 71 | + |
| 72 | +== Trusted CA certificates |
| 73 | + |
| 74 | +When using “mutual TLS", FreeRADIUS needs to know which CAs to trust to authenticate the end device. The end devices present certificates to the server like EAP-TLS. |
| 75 | + |
| 76 | +The easiest way to manage this is to put any CAs that must be trusted in a single file (named `ca_file`). Alternatively, the trusted certificates can be placed in a directory (named `ca_dir`). |
| 77 | + |
| 78 | +CAs used for signing end device certificates should NOT be public CAs. Trusting public CAs usually means that an end device presenting any certificate signed by that same CA is trusted. If client authentication uses a public CA, the acceptable client certificates must be resticted (using the `check_cert_cn` option or the `check-eap-tls` virtual server). |
| 79 | + |
| 80 | +However, a self-signed CA used only for EAP authentication, whose private key is known only to the organization, doesn’t have this problem. |
| 81 | + |
| 82 | + |
| 83 | +== Using FreeRADIUS's provided scripts to create certificates |
| 84 | + |
| 85 | +If a CA is not already in use for signing certificates then FreeRADIUS |
| 86 | +ships with scripts which can create a CA, server certificates, and client |
| 87 | +certificates. |
| 88 | + |
| 89 | +See xref:reference:raddb/certs/index.adoc[Certificates] in the Configuration Files section on how to generate certificates and the corresponding `raddb/certs/Makefile` for more details. |
| 90 | + |
| 91 | +== Loading certificates onto the RADIUS servers |
| 92 | + |
| 93 | +Certificates to be loaded onto the RADIUS servers must be copied into |
| 94 | +`raddb/certs` directory. Use file names which help to identify |
| 95 | +what the certificates are. |
| 96 | + |
| 97 | +The freeradius certificates required at a minimum are: |
| 98 | + |
| 99 | +* ca.pem: `raddb/certs/ca.pem` |
| 100 | +* server.pem: `raddb/certs/server.pem` |
| 101 | +* server.key: `raddb/certs/server.key` |
| 102 | + |
| 103 | +If additional certificates are needed for different EAP methods (e.g. EAP-PEAP |
| 104 | +using one server certificate and EAP-TLS using another) then generate and add the required certificates into this directory. |
| 105 | + |
| 106 | +== Certificates in the FreeRADIUS EAP Configuration |
| 107 | + |
| 108 | +Certificate settings for EAP are found in the eap module configuration |
| 109 | +located in the `raddb/mods-enabled/eap` directory. |
| 110 | + |
| 111 | +If a common set of certificates is used by all EAP methods then it will |
| 112 | +be set in a `tls-config` section called `tls-common`. This section is referenced |
| 113 | +within each EAP method that's enabled. |
| 114 | + |
| 115 | +This section contains at least the following: |
| 116 | + |
| 117 | + tls-config tls-common { |
| 118 | + # private_key_password = whatever |
| 119 | + private_key_file = ${certdir}/server.key |
| 120 | + certificate_file = ${certidir}/server.pem |
| 121 | + auto_chain = no |
| 122 | + ca_file = ${cadir}/ca.pem |
| 123 | + # ca_dir = ${cadir}/trusted |
| 124 | + tls_min_version = "1.1" |
| 125 | + tls_max_version = "1.2" |
| 126 | + } |
| 127 | + |
| 128 | +If applicable, the `private_key_password` item must be un-commented and set to the password used when generating the private key, |
| 129 | + |
| 130 | +The `certificate_file` and `private_key_file` items refer to files that contain |
| 131 | +the server certificate (followed by intermediate CAs up to but not including |
| 132 | +the CA trusted by supplicants) and the private key corresponding to the server |
| 133 | +certificate, respectively. |
| 134 | + |
| 135 | +By setting the `auto_chain` item to `no` the certificate chain will be |
| 136 | +presented to the end device as it is in the server certificate file. With |
| 137 | +`auto_chain` set to `yes` OpenSSL automatically creates a chain. The chain is based on the certificates in `ca_file` and `ca_dir`. OpenSSL's automatic chain building behaviour differs greatly between versions and may result in a chain that may not reflect what the supplicant expects. |
| 138 | + |
| 139 | +The `ca_file` item refers to a file that contains CA certificates |
| 140 | +which FreeRADIUS trusts when checking client certificates. |
| 141 | + |
| 142 | +The `ca_dir` item refers to a directory containing CA certificates which |
| 143 | +FreeRADIUS trusts when checking client certificates. Additionally, any Certificate Revocation Lists (CR) are included. After modifying this directory the `c_rehash` command must be run. |
| 144 | + |
| 145 | +[NOTE] |
| 146 | +==== |
| 147 | +The set of certificates present in `ca_file` determines the list of |
| 148 | +Distingished Names trusted by the server which are sent to an end device when a |
| 149 | +client certificate is requested. For example during EAP-TLS authentication, or |
| 150 | +during PEAP or EAP-TTLS when mutual authentication is requested. This |
| 151 | +**not** true for trusted certificates within the `ca_path` directory. |
| 152 | +==== |
| 153 | + |
| 154 | +Many supplicants won't send a client certificate unless its issuer is in the list of trusted certificates sent by the server. Also, the client's issuer may be in the configured client certificate chain. Also. The supplicant won't send a certificate if the list of trusted certificates is empty. This means no ca_file is configured with trusted certificates placed in the ca_dir. |
| 155 | + |
| 156 | +Many supplicants won't send a client certificate unless its issuer (or one of the configured client certificate chain issuers) is in the list of trusted certificates sent by the server. Also, the supplicant won't send a certificate if the list of trusted certificates is empty. This means no ca_file is configured with trusted certificates placed in the ca_dir. |
| 157 | + |
| 158 | +The `tls_min_version` and `tls_max_version` items control which TLS versions |
| 159 | +are acceptable. |
| 160 | + |
| 161 | +In order to allow supplicants to connect using TLS versions 1.0 or |
| 162 | +1.1 the option `cipher_list` within the `tls-config` may need to be set as |
| 163 | +follows |
| 164 | +``` |
| 165 | + tls-config tls-common { |
| 166 | + ... |
| 167 | + cipher_list = "DEFAULT@SECLEVEL=1" |
| 168 | + ... |
| 169 | + } |
| 170 | +``` |
| 171 | +This situation arises if the server's system default for `SECLEVEL` is higher. |
| 172 | + |
| 173 | +For strong security we recommend setting `tls_min_version` to `1.2` or `1.3`.However this setting might prevent end devices on older operating systems from connecting. |
| 174 | + |
| 175 | + |
| 176 | +=== Different certificates for different EAP methods |
| 177 | + |
| 178 | +If different certificates are required for different EAP methods then create |
| 179 | +additional `tls-config` sections with distinct names. Reference the |
| 180 | +corresponding `tls-config` section in the configuration section for each EAP |
| 181 | +method |
| 182 | + |
| 183 | +Example 'tls-config' section |
| 184 | +``` |
| 185 | + |
| 186 | + tls-config eap-peap-tls-config { |
| 187 | + ... |
| 188 | + private_key_file = ${certdir}/server-peap.key |
| 189 | + certificate_file = ${certdir}/server-peap.pem |
| 190 | + ... |
| 191 | + } |
| 192 | + |
| 193 | + peap { |
| 194 | + ... |
| 195 | + tls = eap-peap-tls-config |
| 196 | + ... |
| 197 | + } |
| 198 | +``` |
| 199 | + |
| 200 | +Add the new certificate and key to the servers. |
0 commit comments