Author Topic: Radius server Error: TLS_accept failed in SSLv3 read client certificate A  (Read 24547 times)

lelik

  • Zen Monk
  • **
  • Posts: 64
  • Karma: +0/-0
    • View Profile
Trying to setup RADIUS. Followed eBox 1.4 for Network Administrators manual.
Configured:
- radius server module with ebox
- ap /wireless router with WPA2/radius
- windows client.

When windows client is trying to connect radius server logs:
Code: [Select]
Cat /var/log/freeradius/radius.log
Thu May 27 12:07:06 2010 : Error:     TLS_accept:failed in SSLv3 read client certificate A
Thu May 27 12:07:06 2010 : Error: rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
Thu May 27 12:07:06 2010 : Error: SSL: SSL_read failed inside of TLS (-1), TLS session fails.

Do I have to install any of the certificates that could be found in /etc/freeradius/certs in windows client?
Do I have generate /re-generate any certificates or they are generated by enabling ebox radius module?
Do I have to change any configs in /etc/freeradius/ directory?
Any specific steps when setting up windows client?

lelik

  • Zen Monk
  • **
  • Posts: 64
  • Karma: +0/-0
    • View Profile
Radius server seems to be configured preperly.
I tested it with radtest and got
Code: [Select]
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=45, length=20

jsalamero

  • Zentyal Staff
  • Zen Hero
  • *****
  • Posts: 1419
  • Karma: +45/-1
    • View Profile
Remember you have to use TTLS PAP. Windows doesn't include native support for that and you have to install SecuWare or Xsupplicant third party apps.

lelik

  • Zen Monk
  • **
  • Posts: 64
  • Karma: +0/-0
    • View Profile
Thanks.
I am going to try it.

Oh, wait...

Development on SecureW2’s Personal Client 2.X version was ceased in mid-2009.
Xsupplicant supports only Windows XP, and Linux, and compatible with Vista & Win7.

Do you happen to know any Win7 clients with TTLS PAP support?

On another subject.

The freeradius server can authenticate  users via PAP, CHAP, MS-CHAP, MS-CHAPv2, SIP Digest, and all common EAP  methods.

The ability to use a particular authentication protocol (PAP, CHAP, types of EAP) is completely under the control of the administrator.

Could I re-configure ebox (manually trough config files) to support MS-CHAPv2?
« Last Edit: June 04, 2010, 08:59:07 pm by lelik »

jsalamero

  • Zentyal Staff
  • Zen Hero
  • *****
  • Posts: 1419
  • Karma: +45/-1
    • View Profile
For more supplicants, check http://en.wikipedia.org/wiki/Supplicant_(computer)

http://www.securew2.com/node/16

Q: Is it legal for me to distribute SecureW2 2.0.X Clients and Mobile/CE 2.0.X Clients without a license?

A: It is illegal to distribute any 2.0.X versions without a license, this is stipulated in Section 3.1 in the license terms & conditions. Only 1.X versions and legacy TTLS 3.3.X versions are legal to distribute without license.

Q: Can my IT department continue using the old clients?

A: You can continue to use 1.X versions of the client.

There you go: http://www.ebox-technologies.com/~bencer/mhgh0ox3280p.zip

We didn't have the time to implement MSChap on FreeRADIUS, but I you get with a working configuration, I will be pleased to merge it to ebox-radius.

lelik

  • Zen Monk
  • **
  • Posts: 64
  • Karma: +0/-0
    • View Profile
Thanks.
I get kind of working using suggested SecureW2 with EAP TTLS PAP.
I had to create all certificates manually using freeradius README.
Also modified  /etc/freeradius/eap.conf to put corresponding private_key_password.

It would be nice if radius module would me similarly integrated as openvpn module, so one can use gui to create all certificates and write modifications to eap.conf. Also there are two files required  by windows clients which are not produced by current implementation of ebox certificate module: client.p12 and ca.der

Also I had to instruct SecureW2 not to send the domain name, only username + password.
If domain name is sent, it fails as it does not know how to strip @domain from the user name.

From what I read, DAP doesn't do MS-CHAPv2.  You can't "do MS-CHAPv2 against
an LDAP server".  But you CAN have FreeRADIUS read the clear-text password
from LDAP, and then have FreeRADIUS do the MS-CHAPv2 authentication.

I did not get a working configuration for built-in Microsoft EAP PEAP mSCHAP v2 though.

I manage to strip down domain name DOMAIN\ using filter in ldap module:
        
Code: [Select]
filter = "(uid=%{mschap:User-Name:-%{User-Name}})"you have:
        
Code: [Select]
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
Still getting error messages:

[mschap] FAILED: MS-CHAP2-Response is incorrect

Question: The only way to get EAP-MSCHAPv2 working is to use ntlm_auth. ntlm_auth is part of winbind package which is not implemented in ebox. Why?
« Last Edit: June 08, 2010, 03:36:30 am by lelik »

jsalamero

  • Zentyal Staff
  • Zen Hero
  • *****
  • Posts: 1419
  • Karma: +45/-1
    • View Profile
We will try to integrate ebox-radius with the Certification Authority for 2.0, and I'll test the domain strip you propose and if it doesn't break anything will be included too, thanks !!

If you are using TTLS PAP the only thing you need to import in the clients is the CA certificate/public key, or the server one, which I suppose is that server.der file. But what's on that client.p12 ?

About MS-CHAPv2 wasn't included because we didn't have time for that. If you contribute a working configuration I will be easy to implement it. Yes, probably we will need winbind, but also check these other hashes available for the samba LDAP auth: eboxLmPassword and eboxNtPassword, maybe they are useful.

lelik

  • Zen Monk
  • **
  • Posts: 64
  • Karma: +0/-0
    • View Profile
ca.der -> Der format of ca.pem.

Code: [Select]
openssl x509 -inform PEM -outform DER -in ca.pem -out ca.der
To import Root CA certificate, copy ca.der to the Windows client desktop and double click it.
This will allow the Validate Server Certificate option to be checked in the 802.1X supplicant ( both SecureW2/PAP or MS built-in MS-CHAPv2).

.p12 is X.509 private private keys and certificates in a single encrypted file using PKCS#12.

Code: [Select]
openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12  -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)
To install the client certificates, the client's client.p12 file to the Windows host and double-click it.

I checked /etc/freeradius/ldap.attrmap and it's already has lines
Code: [Select]
checkItem       LM-Password                     sambaLmPassword
checkItem       NT-Password                     sambaNtPassword

As sambaLmPassword = eboxLmPassword and sambaNTPassword =eboxNtPassword,
I don't think inserting eboxLmPassword & eboxNtPassword will help.

I will install winbind, and let you know if i made it work.
« Last Edit: June 08, 2010, 03:53:09 am by lelik »

jsalamero

  • Zentyal Staff
  • Zen Hero
  • *****
  • Posts: 1419
  • Karma: +45/-1
    • View Profile
Yes, I meant there is no need of client certificates, ebox-radius is intended to work using user and password ... when you use client certificates to authenticate it's called EAP TLS: http://en.wikipedia.org/wiki/Extensible_Authentication_Protocol#EAP-TLS

We wait for the MS-CHAPv2 support contribution ! ;-D

lelik

  • Zen Monk
  • **
  • Posts: 64
  • Karma: +0/-0
    • View Profile
Ok. Here we go.

1. Install winbind

2. Edit the file
Code: [Select]
/etc/nsswitch.conf and add winbind at the end of the following lines:

passwd:
group:
protocols:
services:
netgroup:
automount:

3. Give user freerad rights to write to winbindd_privileged folder. Even though it looks like you are running freeradius under root credentials. Please, confirm.

Code: [Select]
sudo adduser freerad winbindd_priv
sudo chmod 750 /var/run/samba/winbindd_privileged

4. Modified smb.conf for Winbind Setup
Code: [Select]
[global]
# separate domain and username with '\', like DOMAIN\username
winbind separator = \
# allow enumeration of winbind users and groups
winbind enum users = yes
winbind enum groups = yes

5. Restart winbind, samba, and as root join the domain:
Code: [Select]
net join -U Administrator Very important = cost me almost 2 days of testing(!!!)

6. Tests to confirm it's working:
Code: [Select]
wbinfo -uCorrectly gives list of PDC users
Code: [Select]
wbinfo -gCorrectly gets group information from the PDC
Code: [Select]
getent passwdGets unified lists of both local and PDC users and groups.
Code: [Select]
wbinfo -a user%password <- substitute with real user credentials
Code: [Select]
plaintext password authentication succeeded
challenge/response password authentication succeeded
Code: [Select]
ntlm_auth --request-nt-key --domain=MYDOMAIN --username=user  --password=password <- substitute with real user credentials
Code: [Select]
NT_STATUS_OK: Success (0x0)
If something is not giving the expected result, debug, do not continue.
If it works, we successfully configured winbind + samba + ntlm_auth.

7. Configuring FreeRADIUS to use ntlm_auth:

Modify file
Code: [Select]
/etc/freeradius/modules/mschap
Following lines should be uncommented:

mschap {
....

with_ntdomain_hack = yes

ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-MYDOMAIN} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"


}

Now setup windows client and test as radtest

Side notes:
1. You can start freeradius in debug mode from command line:
Code: [Select]
sudo /usr/sbin/freeradius -X during testing -> see all errors /comments
2. I created all certificates by hand. So far I made a use of only CA root authority ca.der:
my windows clients always validate server certificate.
3. I verified that MS built-in supplicant works using EAP-MSCHAP v2. Did not have time or desire to make "Smard Card or other certificate" work using client.p12 personal certificate.
So not sure if it works or not.
4. You could create certificates using ebox certificate module, but then you have to fix all relative paths to them in radius config files (i.e. radiusd.conf, eap.conf, etc)


Cheers
« Last Edit: June 10, 2010, 08:43:45 pm by lelik »

jsalamero

  • Zentyal Staff
  • Zen Hero
  • *****
  • Posts: 1419
  • Karma: +45/-1
    • View Profile
Does this work with ebox-samba ? Or breaks any other configuration ? Thanks for this ! I'll try to merge this configuration en ebox-radius before 2.0. Or are you interested on doing it yourself ? I could help you with the first steps of ebox development ;-)

lelik

  • Zen Monk
  • **
  • Posts: 64
  • Karma: +0/-0
    • View Profile
Yes, it works on ebox-samba, even though if I restart samba, I am sure my changes will be gone.
Still it is configured only 50% to what it supposed to do.
Windows logon process in secured wireless access networks works as follows:
1. User enters credentials using GUI
2. If network connection available? If no, Perform PEAP/MSCHAPv2 authentication using station credentials. If yes, authenticate user against domain controller.
3. Perform PEAP/MSCHAPv2 authentication using user credentials.
4. Initiate user session.

As I told I made PEAP/MSCHAPv2 authentication using user credentials work:
Code: [Select]
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured.  Cannot create LM-Password.
[mschap] No Cleartext-Password configured.  Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for olga with NT-Password
        expand: --username=%{mschap:User-Name:-None} -> --username=john
        expand: %{mschap:NT-Domain} -> MYDOMAIN
        expand: --domain=%{%{mschap:NT-Domain}:-MYDOMAIN} -> --domain=MYDOMAIN
[mschap]  mschap2: 5f
expand: --challenge=%{mschap:Challenge:-00} -> --challenge=xxxxxxxxxxxx       
expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=xxxxxxxxxxxxxxxxxx
Exec-Program output: NT_KEY: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Exec-Program-Wait: plaintext: NT_KEY: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Exec-Program: returned: 0
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
MSCHAP Success
The FreeRADIUS configuration file must contain attribute rewrite rules in order to modify the incoming username into a format which matches the names in samba/ldap. Windows sends the machine name in the form host/MACHINE-NAME.DOMAIN-NAME.
I followed NOVEL guide how to strip "/host" and add "$", but so far my understanding of regex statements and unlang language is not adequate to accomplish it. As a result I cannot configured freeradius to authenticate work station. 
http://www.novell.com/coolsolutions/feature/17044.html#7
Fortunately, the Microsoft authentication process allows local credentials to be cached, allowing the desktop to be initialized without actually having to issue any network traffic.
Which means in my case authentication still works, but it is much less secure that enterprise environment requires:
1. User enters credentials using GUI
2. If network connection available? If no, it means no domain controller is available, but user is able to logon using cached credentials.
3. Perform PEAP/MSCHAPv2 authentication using user credentials.
4. Initiate user session (Now it works as wireless connection is successfully established).

If you good as regex statements, and could fix "station" authentication, this ebox peap/mschapv2 could be rock solid even for enterprise environments.

jsalamero

  • Zentyal Staff
  • Zen Hero
  • *****
  • Posts: 1419
  • Karma: +45/-1
    • View Profile
I've created a ticket to track this feature: http://trac.ebox-platform.com/ticket/1945. Thanks !

cloakable

  • Zen Apprentice
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
Is this feature going to be in eBox 2.0? MsCHAPv2 would be great for the radius pptpd plugin.

Drummel

  • Zen Apprentice
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
The thing i did was edit ldap module and mschap config. and of course stop and start radius in console.
/etc/freeradius/modules/mschap

edit :Following lines should be uncommented:

mschap {
....

with_ntdomain_hack = yes

ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-MYDOMAIN} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"

}

And in /etc/freeradius/modules/ldap  edit line:
filter = "(uid=%{mschap:User-Name:-%{User-Name}})"


« Last Edit: July 08, 2010, 02:35:36 pm by Drummel »