Configure FreeRADIUS with Different CA’s for PEAP and EAP-TLS

Many WLAN’s administrators purchase commercial SSL certificates for their RADIUS server to use for PEAP 802.1X authentication. The advantage of this approach is that a cert from a common commercial CA is likely to have its root CA cert already installed on all the clients accessing the network. Although many clients will still prompt the user to trust the server’s cert, they won’t warn them that the certificate is invalid.

While many WLAN’s are configured this way, it’s become increasingly
easy to deploy EAP-TLS, which offers greater security that PEAP. Windows clients, Macs, iOS clients, and now Chromebooks can all automatically request and install a client cert from Windows Server Active Directory Certificate Services (ADCS), making its deployment much simpler than in the past.

Some organizations might desire to enable EAP-TLS for company-owned clients while preserving PEAP for BYOD clients that don’t benefit from the automatic certificate deployment that a managed, company-owned client does. They’d like to keep their commercial cert to use to authenticate PEAP clients, but also deploy a private CA to issue client certs for EAP-TLS authentication.

freeradius_logoWith Windows Server NPS as a radius server, this is simple to setup. The same has not been true for FreeRADIUS, until version 3 was released. With FreeRADIUS 3.0.x one can specify a unique TLS configuration for each tunneled EAP method. This eap.conf snippet shows how that can be done.

# Supported EAP-types
tls-config tls-peap {

private_key_file = ${certdir}/peap/public-cert-key.pem
certificate_file = ${certdir}/peap/public-cert.crt
# ca_file = ${cadir}/
dh_file = ${certdir}/dh
ca_path = ${cadir}
cipher_list = "HIGH"
ecdh_curve = "prime256v1"
cache {
enable = yes
lifetime = 24 # hours
max_entries = 255

}

verify {
}

ocsp {

enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"

}

}
tls-config tls-common {

private_key_password = password
private_key_file = ${certdir}/eap-tls/private-server-cert-key.pem
certificate_file = ${certdir}/eap-tls/private-server-cert.crt
ca_file = ${cadir}/eap-tls/private-ca.pem
dh_file = ${certdir}/dh
ca_path = ${cadir}
cipher_list = "HIGH"
ecdh_curve = "prime256v1"

cache {

enable = yes
lifetime = 24 # hours
max_entries = 255

}

verify {
}
ocsp {

enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"

}

}

tls {

tls = tls-common

}
peap {

tls = tls-peap
default_eap_type = mschapv2
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"

}
mschapv2 {

send_error = no

}

With FreeRADIUS 2, it was not possible to configure multiple tls-config’s. Some admins were able to make it work by creating a combined cert with both the private CA cert and commercial CA cert and using that in the EAP-TLS ca_file. That’s a very bad idea as it then allows anyone with a cert from the commercial CA to authenticate to your network!

With FreeRADIUS 3, you can specify unique TLS parameters for each EAP method.

Advertisements