我正在尝试在我的 Debian 9 机器上安装 freeradius 服务器。我成功地用 apt 安装了它。我还成功运行它并接受用户和密码,如果您没有提供良好的用户和密码,则拒绝连接。
但我需要实现证书验证。我遵循了官方文档https://wiki.freeradius.org/guide/WPA%20HOWTO
cd /etc/freeradius/3.0/certs/
make
它生成了一些证书,我已经更改了 /etc/freeradius/3.0/mods-enabled/eap
tls-config tls-common {
private_key_password = whatever
private_key_file = /etc/freeradius/3.0/certs/server.key
# If Private key & Certificate are located in
# the same file, then private_key_file &
# certificate_file must contain the same file
# name.
#
# If ca_file (below) is not used, then the
# certificate_file below MUST include not
# only the server certificate, but ALSO all
# of the CA certificates used to sign the
# server certificate.
certificate_file = /etc/freeradius/3.0/certs/server.pem
# Trusted Root CA list
#
# ALL of the CA's in this list will be trusted
# to issue client certificates for authentication.
#
# In general, you should use self-signed
# certificates for 802.1x (EAP) authentication.
# In that case, this CA file should contain
# *one* CA certificate.
#
ca_file = /etc/freeradius/3.0/certs/ca.pem
然后我按照官方文档中提到的配置了用户文件和client.conf。我在客户端安装了ca.pem,如图所示。
现在:
- 如果客户端提供虚假证书,则连接被拒绝
- 如果客户端提供有效的证书,则连接被接受
- 但如果客户端没有提供证书,连接也会公认
我想配置 freeradius 在客户端没有提供有效证书时拒绝连接
我也尝试过在 mods-enabled/eap 中取消注释
# require_client_cert = yes
但是 freeradius 不再接受连接。
这是我尝试使用此参数时得到的日志
(5) eap_ttls: Authenticate
(5) eap_ttls: Continuing EAP-TLS
(5) eap_ttls: [eaptls verify] = ok
(5) eap_ttls: Done initial handshake
(5) eap_ttls: TLS_accept: SSLv3/TLS write server done
(5) eap_ttls: <<< recv TLS 1.2 [length 0007]
(5) eap_ttls: >>> send TLS 1.2 [length 0002]
(5) eap_ttls: ERROR: TLS Alert write:fatal:handshake failure
tls: TLS_accept: Error in error
(5) eap_ttls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C0C7:SSL routines:tls_process_client_certificate:peer did not return a certificate
(5) eap_ttls: ERROR: System call (I/O) error (-1)
(5) eap_ttls: ERROR: TLS receive handshake failed during operation
(5) eap_ttls: ERROR: [eaptls process] = fail
(5) eap: ERROR: Failed continuing EAP TTLS (21) session. EAP sub-module failed
(5) eap: Sending EAP Failure (code 4) ID 5 length 4
(5) eap: Failed in EAP select
(5) [eap] = invalid
(5) } # authenticate = invalid
(5) Failed to authenticate the user
所以我的问题是:如何强制 freeradius 检查证书是否存在以及是否是好的证书?
我已经尝试了好几天。所以如果有人已经安装了 freeradius 服务器并且愿意帮助我那就太好了。
谢谢
答案1
是的,我找到了等待
我必须启用验证协议
然后你必须给出Ca 证书和用户证书
Ca 证书仅用于保护连接,不用于识别。事实上,客户端可能没有 CA 证书,但它仍然可以工作。
这时用户证书可以提供帮助。您可以使用它来识别用户。
在文件中
mods-enabled/eap
你可以实现自定义验证。因此你可以实现自己的脚本。你可以使用
%{TLS-Client-Cert-Filename}
变量来获取用户证书。
然后你把它交给你的脚本,自己做验证。你可以使用:
openssl verify
做这个或者其他任何事情。我的脚本是:
/etc/freeradius/3.0/scripts/log.sh
它成功时退出 0和失败时退出 1.从而允许或拒绝用户访问。
以下是我的 mods-enabled/eap 配置文件,供有需要的人参考
verify {
# If the OCSP checks succeed, the verify section
# is run to allow additional checks.
#
# If you want to skip verify on OCSP success,
# uncomment this configuration item, and set it
# to "yes".
#skip_if_ocsp_ok = no
# A temporary directory where the client
# certificates are stored. This directory
# MUST be owned by the UID of the server,
# and MUST not be accessible by any other
# users. When the server starts, it will do
# "chmod go-rwx" on the directory, for
# security reasons. The directory MUST
# exist when the server starts.
#
# You should also delete all of the files
# in the directory when the server starts.
tmpdir = /tmp/radiusd
# The command used to verify the client cert.
# We recommend using the OpenSSL command-line
# tool.
#
# The ${..ca_path} text is a reference to
# the ca_path variable defined above.
#
# The %{TLS-Client-Cert-Filename} is the name
# of the temporary file containing the cert
# in PEM format. This file is automatically
# deleted by the server when the command
# returns.
client = "/bin/bash /etc/freeradius/3.0/scripts/log.sh %{TLS-Client-Cert-Filename} %{Client-IP-Address}"
}
客户端部分是最重要的部分。