Freeradius
如何強制 freeradius 檢查證書的有效性?
我正在嘗試在我的 debian 9 機器上安裝一個 freeradius 伺服器。我成功地用apt安裝了它。如果您沒有提供好的使用者名和密碼,我也成功地執行它並接受使用者名和密碼並拒絕連接。
但我需要實施證書驗證。我按照官方文件https://wiki.freeradius.org/guide/WPA%20HOWTO
cd /etc/freeradius/3.0/certs/ make
它生成了一些證書,我更改了 /etc/freeradius/3.0/mods-enabled/eap
tls-config tls-common { private_key_password = whatever private_key_file = /etc/freeradius/3.0/certs/server.key # If Private key & Certificate are located in # the same file, then private_key_file & # certificate_file must contain the same file # name. # # If ca_file (below) is not used, then the # certificate_file below MUST include not # only the server certificate, but ALSO all # of the CA certificates used to sign the # server certificate. certificate_file = /etc/freeradius/3.0/certs/server.pem # Trusted Root CA list # # ALL of the CA's in this list will be trusted # to issue client certificates for authentication. # # In general, you should use self-signed # certificates for 802.1x (EAP) authentication. # In that case, this CA file should contain # *one* CA certificate. # ca_file = /etc/freeradius/3.0/certs/ca.pem
然後我按照官方文件中的說明配置了使用者文件和client.conf。如圖所示,我已經在客戶端安裝了 ca.pem。
現在:
- 如果客戶端提供虛假證書,則連接被拒絕
- 如果客戶端客戶端提供良好的證書,則接受連接
- 但是,如果客戶端不提供證書,則連接也被接受
而且我想將 freeradius 配置為在客戶端不提供有效證書時拒絕連接
我也嘗試在 mods-enabled/eap 中取消註釋
# require_client_cert = yes
但隨後 freeradius 不再接受連接。
這是我嘗試使用此參數時的日誌
(5) eap_ttls: Authenticate (5) eap_ttls: Continuing EAP-TLS (5) eap_ttls: [eaptls verify] = ok (5) eap_ttls: Done initial handshake (5) eap_ttls: TLS_accept: SSLv3/TLS write server done (5) eap_ttls: <<< recv TLS 1.2 [length 0007] (5) eap_ttls: >>> send TLS 1.2 [length 0002] (5) eap_ttls: ERROR: TLS Alert write:fatal:handshake failure tls: TLS_accept: Error in error (5) eap_ttls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C0C7:SSL routines:tls_process_client_certificate:peer did not return a certificate (5) eap_ttls: ERROR: System call (I/O) error (-1) (5) eap_ttls: ERROR: TLS receive handshake failed during operation (5) eap_ttls: ERROR: [eaptls process] = fail (5) eap: ERROR: Failed continuing EAP TTLS (21) session. EAP sub-module failed (5) eap: Sending EAP Failure (code 4) ID 5 length 4 (5) eap: Failed in EAP select (5) [eap] = invalid (5) } # authenticate = invalid (5) Failed to authenticate the user
所以我的問題是:我如何強制 freeradius 檢查證書是否存在並且是好的證書?
我已經嘗試了幾天。因此,如果有人已經安裝了 freeradius 伺服器並願意幫助我,那就太好了。
謝謝
是的,我發現了一個等待
我必須啟用eap-tls
然後你要給一個CA證書和使用者證書
Ca 證書僅用於保護連接而不是用於辨識。事實是客戶端可能沒有 CA 證書,它仍然可以工作。
這是使用者證書提供幫助的時候。您可以使用它來辨識使用者。
在文件中
mods-enabled/eap
您可以實施自定義驗證。所以你可以實現你自己的腳本。你可以使用
%{TLS-Client-Cert-Filename}
變數來獲取使用者證書。
然後你把它交給你的腳本並自己進行驗證。您可以使用:
openssl verify
這樣做或其他任何事情。我的腳本是:
/etc/freeradius/3.0/scripts/log.sh
它在成功時退出 0,在失敗時退出 1 。從而允許或拒絕使用者訪問。
這是我的 mods-enabled/eap 配置文件,供可能需要的人使用
verify { # If the OCSP checks succeed, the verify section # is run to allow additional checks. # # If you want to skip verify on OCSP success, # uncomment this configuration item, and set it # to "yes". #skip_if_ocsp_ok = no # A temporary directory where the client # certificates are stored. This directory # MUST be owned by the UID of the server, # and MUST not be accessible by any other # users. When the server starts, it will do # "chmod go-rwx" on the directory, for # security reasons. The directory MUST # exist when the server starts. # # You should also delete all of the files # in the directory when the server starts. tmpdir = /tmp/radiusd # The command used to verify the client cert. # We recommend using the OpenSSL command-line # tool. # # The ${..ca_path} text is a reference to # the ca_path variable defined above. # # The %{TLS-Client-Cert-Filename} is the name # of the temporary file containing the cert # in PEM format. This file is automatically # deleted by the server when the command # returns. client = "/bin/bash /etc/freeradius/3.0/scripts/log.sh %{TLS-Client-Cert-Filename} %{Client-IP-Address}" }
客戶端部分是重要的部分。