FreeRadius EAP Settings Root and Server Certificate

[crissi]

Hello,

created for Radius a new CA analog like for the webgui https://docs.opnsense.org/manual/how-tos/self-signed-chain.html

Under FreeRadius - EAP i set as Root Certificate the Radius Intermediate CA what i created is this correct way? Do i need to deploy before connecting via Radius the Radius Intermediate CA just to the specific Clients?

If i not deploy the Intermediate CA and connect with a Client to Radius, i get offered / installed to the keychain:

Server Certificate
Radius Intermediate CA

and additionally the Radius CA

Should there normally not only the Intermediate and the Radius Server Certificate be installed?

Thx!

[crissi]

Please see here Certificates offered first connect of Client, and afterwards installed Certificates to Keychain

[benyamin]

The Root CA certificate MUST always be installed (imported). In your case this would be the Radius CA (radius-ca).

[crissi]

Thanks, so under the Free Radius EAP Settings, i need to choose there as well the radius-ca or the radius-intermediate ca?

This is whats unclear for me, as i created under Trust the Radius CA, Radius Intermediate CA and Server Certificate?

[benyamin]

The intermediate CA should be the one issuing certificates to clients (not the root CA).

I would try the intermediate CA (radius-intermediate-ca) first where it says Root CA.

The Server Certificate would be your "radius" certificate.

If it works a request can be made to change "Root CA" to "Issuing CA".

[crissi]

I exported now the radius-ca under System - Trust - Authorities and installed / trusted the CA on my Mac.

Then i connect fresh to the wifi network and get offered / installed the radius-intermediate-ca and the radius certificate.

Now im wondering is this really correct, to have then radius-ca / radius-intermediate-ca and radius certificate installed on client pc?

If the process is the same with the webgui certificate like in the documentation https://docs.opnsense.org/manual/how-tos/self-signed-chain.html the last step there is "Download the intermediate CA and install it to your browser" , or im wrong here?

[benyamin]

Both CA certificates should be imported into the client store to provide the full trust chain.

The server certificate usually doesn't need to be imported. I suspect that if you don't have the intermediate CA certificate (radius-intermediate-ca) imported it will offer both. With both CA certificates imported you should not be offered anything.

Try connecting without the server certificate (radius) imported to confirm this. IIRC, some RADIUS-backed EAP 802.1x implementations do require the server certificate to be installed, but it really shouldn't be necessary.

[crissi]

Thx, imported yet both as recommended radius-ca and radius-intermediate-ca to the mac key store, and trusted them. Then i connect to the Wifi Network and get offered again also the radius certificate what i had to trust.

Afterwards i have again both CA Certs and the Server Certificate in the Key chain stored...

[benyamin]

Awesome. 

...and everything is working now?

[crissi]

My question is, if this is the correct way to have now 3 Certificates installed on the Client? Im also not sure yet, if under the EAP Settings Root CA the Intermediate CA or the Radius Root CA should be selected? What is the real benefit to have a intermediate CA in general?

[benyamin]

My question is, if this is the correct way to have now 3 Certificates installed on the Client?

Yes, it would appear so, at least on a Mac. This is the full certificate chain. The leaf or server certificate is only trusted because the issuing or intermediate Certificate Authority is trusted. In turn the intermediate CA certificate is only trusted because the Root CA is trusted. The Root CA is the self-signed trust anchor.

Im also not sure yet, if under the EAP Settings Root CA the Intermediate CA or the Radius Root CA should be selected?

It is usually best practice to keep the Root CA offline and never use it to issue certificates except for an intermediate or issuing CA. As such, the intermediate CA should be selected here. If you look at the in-line help on the Services: FreeRADIUS: EAP page, you will notice it says:

Choose the Root CA [sic]. This CA will be trusted to issue client certificates for authentication. [Emphasis mine]

I can understand why it would be confusing, it clearly calls it a Root CA, but a Root CA should not be used to issue leaf certificates. It really should be changed to "Issuing CA".

What is the real benefit to have a intermediate CA in general?

The real benefit is that if the issuing or intermediate CA is compromised it's certificate can be revoked by the Root CA and a new intermediate CA established. Keeping the Root CA offline helps to mitigate this risk.

Having said that, I think OPNsense would need additional steps to preserve the Root CA offline. I'll raise that in the discussion being had here.

[crissi]

Yes, it would appear so, at least on a Mac

And on Windows and Android Devices?

It really should be changed to "Issuing CA".

Yes, would be perfect.

It is usually best practice to keep the Root CA offline

If there would be a way to implement this, would be great.

Thx!

[benyamin]

Regarding the number of certificates and using this solution for Windows and and Android devices, you would need to provide some more information about your use scenario(s). Also, the inclusion of Windows clients will likely be your limiting factor when making your solution homogeneous or platform-independent.

If this is for an enterprise, and you have Windows devices that are part of an Active Directory domain, you must choose a certificate-based supplicant authentication technique rather than using encrypted usernames and passwords. If you do not, the device will not be able to connect to the network prior to the user logging in and authenticating. In this use case, the device and not the user is the "client" and as the device effectively does not have a password, you must use a certificate assigned to the device instead (for authentication).

What Default EAP Type did you choose at Services: FreeRADIUS: EAP...?

When you connect your Mac, I presume you get asked for username and password, yes?

Regarding changing the GUI to say "Issuing CA Certificate", "someone" can raise it as an issue on Git. However, I would wait until any issues you are having are sorted out first.

To move the Root CA offline, you could try the technique I posted here, but I note it is NOT tested. I note Fright's comments below my post that, in his humble opinion, OPNsense really isn't built to be a CA and should not really be used for production purposes.

Having said that, if you are using FreeRADIUS to manage users and clients internally, i.e. it is your user database (rather than say using a LDAP database), perhaps it has functionality to create client certificates (I don't know) in which case you might need the integrated CA.

If you do decide to move the Root CA offline, perhaps you can post your outcome here, or in the other topic, or maybe even start a new topic.

[crissi]

Regarding the number of certificates and using this solution for Windows and and Android devices, you would need to provide some more information about your use scenario(s). Also, the inclusion of Windows clients will likely be your limiting factor when making your solution homogeneous or platform-independent.

If this is for an enterprise, and you have Windows devices that are part of an Active Directory domain, you must choose a certificate-based supplicant authentication technique rather than using encrypted usernames and passwords. If you do not, the device will not be able to connect to the network prior to the user logging in and authenticating. In this use case, the device and not the user is the "client" and as the device effectively does not have a password, you must use a certificate assigned to the device instead (for authentication).

I have Windows 10 Devices, no ADS Domain. Created on my Unifi AP / WPA Enterprise Networks and on FreeRadius the AP as Client with shared secret and as IP the AP as remote Client. Authentication with the created Users / Passwords in FreeRadius works fine.

Now I try to get certificate-based authentication to work (EAP-TLS).

What Default EAP Type did you choose at Services: FreeRADIUS: EAP...?

EAP is not available to choose, I selected now PEAP, or do i need to select something different?

When you connect your Mac, I presume you get asked for username and password, yes?

Yes, still get asked for username and password. Even with the fully imported / trusted Certificate Chain

Regarding changing the GUI to say "Issuing CA Certificate", "someone" can raise it as an issue on Git. However, I would wait until any issues you are having are sorted out first.

ok, thank you.

To move the Root CA offline, you could try the technique I posted here, but I note it is NOT tested. I note Fright's comments below my post that, in his humble opinion, OPNsense really isn't built to be a CA and should not really be used for production purposes.

Would be nice to use OPNSense as fully CA for production in future …

Having said that, if you are using FreeRADIUS to manage users and clients internally, i.e. it is your user database (rather than say using a LDAP database), perhaps it has functionality to create client certificates (I don't know) in which case you might need the integrated CA.

Yes, I want to manage Users internally, but would like to use certificate-based authentication, and therefore the CA would be needed, right?

If you do decide to move the Root CA offline, perhaps you can post your outcome here, or in the other topic, or maybe even start a new topic.

I would love to see the possibility under System – Trust – Authorities where you have the Option to set CA Offline / Online

Thx!

[benyamin]

Hi Crissi,

I think you quoted yourself instead of me in your last post. 

The Default EAP Type, is technically a poor heading. I'm unsure what "default" refers to, i.e is there a fallback method? The options are somewhat ambiguous too as PEAP is not an inner method or EAP type. I would suggest that the broadest interoperability will be achieved using EAP-TLS, which I presume is simply TLS in the drop down list. If I get time, I will look at the code to see what each of these are actually doing in the FreeRADIUS config, but I suggest that you not hold your breath for me to do so. 8^d

Upon changing to EAP-TLS, each client - or more correctly - supplicant, whether device or user, will need a fourth certificate: a client certificate. The first three are about trusting the server, the fourth is to authenticate the client.

You should check if FreeRADIUS/OPNsense has auto-magically created Client Certificates for you in System: Trust: Certificates. If not, you will need to create one for each user or device manually by clicking the Add button at System: Trust: Certificates and then choosing "Create an internal Certificate". When doing so, ensure you select the Intermediate CA at the "Certificate Authority", Client Certificate at "Type", and finally that the Common Name is the same as the device or user name so that you can tick the Check TLS Common-Name checkbox at Services: FreeRADIUS: EAP.

Either way, when you have Client Certificates, they should be downloaded to the respective device (if for a device) or devices (if for a user - wherever that user needs access).

After this, you should not be prompted for credentials.

You can use OPNsense as a CA, it just wouldn't typically be recommended as a security best practice, especially if OPNsense is operating as your perimeter firewall. The same would go for your user accounts. You may want to consider migrating the user database to an LDAP database on another server and do the same for your Issuing CA (and keep your Root CA offline).

As for making the Root CA offline on OPNsense, I don't believe this is physically possible. The private key must not be present but the certificate must be imported to ensure the full trust chain is available. On a truly offline Root CA, the CA itself is powered off and is air-gapped from the network, i.e. it has no network port. Updated files, e.g. a CRL or new issuing CA certificate, must be transferred by another mechanism, e.g. a USB flash drive.

Hope that's enough to keep you going...