Freeradius

如何強制 freeradius 檢查證書的有效性?

  • September 21, 2018

我正在嘗試在我的 debian 9 機器上安裝一個 freeradius 伺服器。我成功地用apt安裝了它。如果您沒有提供好的使用者名和密碼,我也成功地執行它並接受使用者名和密碼並拒絕連接。

但我需要實施證書驗證。我按照官方文件https://wiki.freeradius.org/guide/WPA%20HOWTO

cd /etc/freeradius/3.0/certs/
make

它生成了一些證書,我更改了 /etc/freeradius/3.0/mods-enabled/eap

tls-config tls-common {
           private_key_password = whatever
           private_key_file = /etc/freeradius/3.0/certs/server.key

           #  If Private key & Certificate are located in
           #  the same file, then private_key_file &
           #  certificate_file must contain the same file
           #  name.
           #

#  If ca_file (below) is not used, then the
           #  certificate_file below MUST include not
           #  only the server certificate, but ALSO all
           #  of the CA certificates used to sign the
           #  server certificate.
           certificate_file = /etc/freeradius/3.0/certs/server.pem

           #  Trusted Root CA list
           #
           #  ALL of the CA's in this list will be trusted
           #  to issue client certificates for authentication.
           #
           #  In general, you should use self-signed
           #  certificates for 802.1x (EAP) authentication.
           #  In that case, this CA file should contain
           #  *one* CA certificate.
           #
           ca_file = /etc/freeradius/3.0/certs/ca.pem

然後我按照官方文件中的說明配置了使用者文件和client.conf。如圖所示,我已經在客戶端安裝了 ca.pem。

配置範例

現在:

  • 如果客戶端提供虛假證書,則連接被拒絕
  • 如果客戶端客戶端提供良好的證書,則接受連接
  • 但是,如果客戶端不提供證書,則連接也被接受

而且我想將 freeradius 配置為在客戶端不提供有效證書時拒絕連接

我也嘗試在 mods-enabled/eap 中取消註釋

#       require_client_cert = yes

但隨後 freeradius 不再接受連接。

這是我嘗試使用此參數時的日誌

(5) eap_ttls: Authenticate
(5) eap_ttls: Continuing EAP-TLS
(5) eap_ttls: [eaptls verify] = ok
(5) eap_ttls: Done initial handshake
(5) eap_ttls: TLS_accept: SSLv3/TLS write server done
(5) eap_ttls: <<< recv TLS 1.2  [length 0007] 
(5) eap_ttls: >>> send TLS 1.2  [length 0002] 
(5) eap_ttls: ERROR: TLS Alert write:fatal:handshake failure
tls: TLS_accept: Error in error
(5) eap_ttls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C0C7:SSL                 routines:tls_process_client_certificate:peer did not return a certificate
(5) eap_ttls: ERROR: System call (I/O) error (-1)
(5) eap_ttls: ERROR: TLS receive handshake failed during operation
(5) eap_ttls: ERROR: [eaptls process] = fail
(5) eap: ERROR: Failed continuing EAP TTLS (21) session.  EAP sub-module failed
(5) eap: Sending EAP Failure (code 4) ID 5 length 4
(5) eap: Failed in EAP select
(5)     [eap] = invalid
(5)   } # authenticate = invalid
(5) Failed to authenticate the user

所以我的問題是:我如何強制 freeradius 檢查證書是否存在並且是好的證書?

我已經嘗試了幾天。因此,如果有人已經安裝了 freeradius 伺服器並願意幫助我,那就太好了。

謝謝

是的,我發現了一個等待

我必須啟用eap-tls

然後你要給一個CA證書使用者證書

Ca 證書僅用於保護連接而不是用於辨識。事實是客戶端可能沒有 CA 證書,它仍然可以工作。

這是使用者證書提供幫助的時候。您可以使用它來辨識使用者。

在文件中

mods-enabled/eap

您可以實施自定義驗證。所以你可以實現你自己的腳本。你可以使用

%{TLS-Client-Cert-Filename}

變數來獲取使用者證書。

然後你把它交給你的腳本並自己進行驗證。您可以使用:

openssl verify 

這樣做或其他任何事情。我的腳本是:

/etc/freeradius/3.0/scripts/log.sh

在成功時退出 0,失敗時退出 1 。從而允許或拒絕使用者訪問。

這是我的 mods-enabled/eap 配置文件,供可能需要的人使用

verify {
                   #  If the OCSP checks succeed, the verify section
                   #  is run to allow additional checks.
                   #
                   #  If you want to skip verify on OCSP success,
                   #  uncomment this configuration item, and set it
                   #  to "yes".
                   #skip_if_ocsp_ok = no

                   #  A temporary directory where the client
                   #  certificates are stored.  This directory
                   #  MUST be owned by the UID of the server,
                   #  and MUST not be accessible by any other
                   #  users.  When the server starts, it will do
                   #  "chmod go-rwx" on the directory, for
                   #  security reasons.  The directory MUST
                   #  exist when the server starts.
                   #
                   #  You should also delete all of the files
                   #  in the directory when the server starts.
                   tmpdir = /tmp/radiusd

                   #  The command used to verify the client cert.
                   #  We recommend using the OpenSSL command-line
                   #  tool.
                   #
                   #  The ${..ca_path} text is a reference to
                   #  the ca_path variable defined above.
                   #
                   #  The %{TLS-Client-Cert-Filename} is the name
                   #  of the temporary file containing the cert
                   #  in PEM format.  This file is automatically
                   #  deleted by the server when the command
                   #  returns.
                   client = "/bin/bash /etc/freeradius/3.0/scripts/log.sh %{TLS-Client-Cert-Filename} %{Client-IP-Address}"
           }

客戶端部分是重要的部分。

引用自:https://serverfault.com/questions/872314