above is my eap.conf file, I want to know if i use this eap.conf, how can I know which EAP method I used, EAP-TLS, EAP-PEAP or EAP-TTLS.
As I know EAP-TLS only used certificates and EAP-PEAP or EAP-TTLS only use user name, password. But on my freeradius server it need both user name, password and certificates in my Wi-Fi module to connect my AP.
I'm a newer on freeradius
Related
I have a FreeRadius server set up that authenticates users through the PAM (SSSD for AD authentication + MFA via Google Authenticator).
It works well but when I configured it on my firewall I received a message like that :
When authenticating user xxx from 'ip from domain controller', a less secure authentication method PAP is used. Please migrate to PEAP or EAP-TTLS.
I don't understand what this message exactly means. How can I secure the info between my FW/SSH console and the radius server and between the radius server and the domain controller ?
Can I still use PAM with PEAP/EAP-TTLS ? Is it just a mean to secure the network transaction or is it an authentication model ?
Thank you for your help.
The pam_radius plugin always uses pap, and the radius client with pam does not exist with PEAP/EAP-TTLS/EAP-TLS. PAP is less secure because it displays password in plain text. For security reasons you can either have a VPN which may need external hardware or have a TLS proxy like stunnel or nginx at the PAM -radius client and protect the radius packets with TLS. I will go for 2nd option as it is free and freeradius server can be configured to use radsec connection, but ofcourse you will now manage the certificates
I am attempting to setup a freeradius server to authenticate against a web service. The reason for this is that there is a complicated workflow involving account status and mac address. The workflow seemed out of place to be in freeradius. So my user names, and encrypted passwords are stored remotely to the radius server. Everything works fine using radclient to test. When I started using the the Access Point, I learned it only communicates with the radius server via eap-tls. This means that the User-Password argument is not available for my script.
Is there a way to have eap auth check for user authentication against my script? By this i mean, can i get the password to send to my secondary service?
Alternately, is there a way to get the User-Password from the encrypted eap-message data?
Access points don't usually place restrictions on the EAP type. The device connecting to the AP negotiates an EAP type with FreeRADIUS. If it's using EAP-TLS it's probably a windows machine that hasn't been configured to do anything different.
Investigate EAP flavours to find out which ones are available. If you have EAP-TTLS-PAP you can send the plaintext password from the wireless client, and user it to authenticate against the web service.
In FreeRADIUS v3.0.x there's a rlm_rest module, which can perform basic auth on behalf of the user, with very little configuration.
I have a cert signed by a CA (Geotrust) on my server. I have the same cert installed in my app. I compare the two certs in URLSession:didReceiveChallenge:completionHandler:. But I was notified by my hosting service that I need to 'renew' the cert each year. That creates a new and different cert for me to handle in the app. Since the certs are not self-signed, do I need to embed the cert in the app for comparison with the cert as it comes from the server or does iOS's SSL handling take care of the challenge for me. Maybe I can just use server trust without looking at the cert?
I have the same cert installed in my app.
Why?
I compare the two certs in URLSession:didReceiveChallenge:completionHandler.
Why?
What you should be doing is comparing the subjectDN. That's what the signer is verifying. It's all you need.
Maybe I can just use server trust without looking at the cert?
It sounds like you're trying to do the correct thing and add an authorization step. Relying on 'server trust' just gives you authentication, i.e. the subject DN is who he says he is. Authorization checks whether that DN is authorised to use this part of the application. But you don't need to check the entire certificate for that.
I'm expecting a connection to come via HTTPS to a rails app using a certificate self-signed with previously agreed certificate authority.
The spec for the API says that the user should be identified by their certificate. How would I go about identifying this user based on their ssl certificate?
I assume nginx will handle the connection - I can't seem to find any mention in any rails documentation that I'll know anything more about the ssl status apart from request#ssl?
It sounds like you're planning to use SSL client certificates. You should be able to do this all in nginx using the ssl_verify_client config.
Here's a blog post that walks through the whole thing: http://rynop.wordpress.com/2012/11/26/howto-client-side-certificate-auth-with-nginx/
That will setup nginx to handle authentication for your application. If you need to do additional authorization (like check the user's role), you'll need to configure nginx to pass some user identity information to your application. Add something like this to your nginx config:
proxy_set_header USER_DN $ssl_client_s_dn;
then in your app, use something like this to access the DN from the certificate and look it up in your user store:
user_dn = request.headers["HTTP_USER_DN"]
user = User.where(dn: user_dn).first
I have an iOS client app which connects to a server using HTTPS.
I've added code in the client to verify the identify of the server.
How can a tester testing this feature test that it is now secure, how can they for example create a MITM situation and check that the client rejects connects etc.?
I've tried googling for how to do this but haven't had much luck.
Can it be done using tools like Charles and proxies etc. or is messing around with a wireless router and having detailed knowledge necessary?
This might be over simplification for your solution, but concepts might help.
A web browsers extracts the name of hosts from embedded certificate and do a comparison of host name that we're trying to connect with. If validation fails, we usually see a security warning. For ex: we can connect with facebook by either typing https://www.facebook.com or by typing https://173.252.100.16/. When we choose second option, we get a security warning.
Your program must be using SSL client socket to connect with HTTPS server. The socket must be having capability to extract the hostname from the embedded certificate. Once you get that, compare that with valid HOST NAME that your program is trying to connect with. If it matches, let request proceed, If not, abandon that session.
To re-create MITM, your web server can use a self signed certificate that can be issue to whatever host name you want, but the IP of server could be 127.0.0.1 (for example). Since there is a mismatch between the host name and actual IP, we can probably simulate the MITM situation.
I'm assuming that digital certificate can't be forged in this case.