我想在我的debian 9机器上安装freeradius服务器。 我成功地用apt来安装它。 我也成功地运行它,并接受用户名和密码,并拒绝连接,如果你没有一个好的用户名和密码。
但是我需要执行certificatvalidation。 我跟着官方文档https://wiki.freeradius.org/guide/WPA%20HOWTO
cd /etc/freeradius/3.0/certs/ make 它生成了一些证书,我改变了/etc/freeradius/3.0/mods-enabled/eap
tls-config tls-common { private_key_password = whatever private_key_file = /etc/freeradius/3.0/certs/server.key # If Private key & Certificate are located in # the same file, then private_key_file & # certificate_file must contain the same file # name. # # If ca_file (below) is not used, then the # certificate_file below MUST include not # only the server certificate, but ALSO all # of the CA certificates used to sign the # server certificate. certificate_file = /etc/freeradius/3.0/certs/server.pem # Trusted Root CA list # # ALL of the CA's in this list will be trusted # to issue client certificates for authentication. # # In general, you should use self-signed # certificates for 802.1x (EAP) authentication. # In that case, this CA file should contain # *one* CA certificate. # ca_file = /etc/freeradius/3.0/certs/ca.pem
然后,我已经configuration了正式文档中提到的用户文件和client.conf。 如图所示,我已经在客户端安装了ca.pem。
config例子
现在:
我想configurationfreeradius拒绝连接,当客户端不提供有效的证书
我也尝试在mods-enabled / eap中取消注释
# require_client_cert = yes
但是然后freeradius不再接受连接。
这是我用这个参数尝试的日志
(5) eap_ttls: Authenticate (5) eap_ttls: Continuing EAP-TLS (5) eap_ttls: [eaptls verify] = ok (5) eap_ttls: Done initial handshake (5) eap_ttls: TLS_accept: SSLv3/TLS write server done (5) eap_ttls: <<< recv TLS 1.2 [length 0007] (5) eap_ttls: >>> send TLS 1.2 [length 0002] (5) eap_ttls: ERROR: TLS Alert write:fatal:handshake failure tls: TLS_accept: Error in error (5) eap_ttls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C0C7:SSL routines:tls_process_client_certificate:peer did not return a certificate (5) eap_ttls: ERROR: System call (I/O) error (-1) (5) eap_ttls: ERROR: TLS receive handshake failed during operation (5) eap_ttls: ERROR: [eaptls process] = fail (5) eap: ERROR: Failed continuing EAP TTLS (21) session. EAP sub-module failed (5) eap: Sending EAP Failure (code 4) ID 5 length 4 (5) eap: Failed in EAP select (5) [eap] = invalid (5) } # authenticate = invalid (5) Failed to authenticate the user
所以我的问题是:我如何强制freeradius检查证书是否存在,是否是好的?
我已经尝试了几天。 所以如果任何人已经安装了freeradius服务器,并愿意帮助我这将是伟大的。
谢谢
是的,我发现了一个等待
我必须启用eap-tls
那么你必须给出一个Ca证书和用户证书
Ca证书在这里只是为了确保连接而不是为了识别。 事实是,客户端可能没有CA证书,它仍然可以工作。
这是当用户证书来帮助。 您可以使用它来识别用户。
在文件中
mods-enabled/eap
您可以实施自定义validation。 所以你可以实现你自己的脚本。 你可以使用
%{TLS-Client-Cert-Filename}
variables来获取用户证书。
那么你把它给你的脚本,并自己做validation。 您可以使用:
openssl verify
要做到这一点或其他任何事情。 我的脚本是:
/etc/freeradius/3.0/scripts/log.sh
成功时退出0 ,失败时退出1 。 从而允许或拒绝对用户的访问。
这是我可以使用的mods-enabled / eapconfiguration文件
verify { # If the OCSP checks succeed, the verify section # is run to allow additional checks. # # If you want to skip verify on OCSP success, # uncomment this configuration item, and set it # to "yes". #skip_if_ocsp_ok = no # A temporary directory where the client # certificates are stored. This directory # MUST be owned by the UID of the server, # and MUST not be accessible by any other # users. When the server starts, it will do # "chmod go-rwx" on the directory, for # security reasons. The directory MUST # exist when the server starts. # # You should also delete all of the files # in the directory when the server starts. tmpdir = /tmp/radiusd # The command used to verify the client cert. # We recommend using the OpenSSL command-line # tool. # # The ${..ca_path} text is a reference to # the ca_path variable defined above. # # The %{TLS-Client-Cert-Filename} is the name # of the temporary file containing the cert # in PEM format. This file is automatically # deleted by the server when the command # returns. client = "/bin/bash /etc/freeradius/3.0/scripts/log.sh %{TLS-Client-Cert-Filename} %{Client-IP-Address}" }
客户端部分是重要的部分。