[RADIATOR] EAP TLS and XP machine authentication

Markus Moeller huaraz at moeller.plus.com
Sat Apr 24 06:26:55 CDT 2010 

Hi Hugh,

here is the Authby definition

#
<AuthBy FILE>
  Identifier EapTLSDevice
  Filename %D/Devices

  EAPType TLS

#
# WLAN Additional Certificate Check
#
  EAPTLS_CertificateVerifyHook file:"%D/EAPTLS_Certificate_check_Device.pl"

#
# WLAN root CAs
#
  EAPTLS_CAFile %D/certs/CA/ALL-ca-certs.pem

#
# Radiator Cert
#
  EAPTLS_CertificateFile %D/certs/wlancert.pem
  EAPTLS_CertificateType PEM

  EAPTLS_PrivateKeyFile %D/certs/wlankey.pem
#  EAPTLS_PrivateKeyPassword 1Wv7HpRG5C

  EAPTLS_MaxFragmentSize 1000

#
# WLAN CRLs
#
  EAPTLS_CRLCheck
  EAPTLS_CRLFile %D/certs/crls/Root_CA_2.pem
  EAPTLS_CRLFile %D/certs/crls/Root_CA_3.pem
  EAPTLS_CRLFile %D/certs/crls/Server_CA_2.pem
  EAPTLS_CRLFile %D/certs/crls/TLS_CA_1.pem

# EAPTLS_CRLFile %D/certs/revocations.pem
#
  AutoMPPEKeys
</AuthBy>

the handler

#
<Handler User-Name=/host\/.+/, DeviceType="Wlan",DeviceGroup="global" >
        # Mark request as WLAN request
        RewriteUsername s/host\/(.*)/$1/
        AddToRequestIfNotExist Request-Protocol=EAP-TLS
        AuthByPolicy ContinueWhileAccept
        AuthBy EapTLSDevice
        AuthLog LogWLANAuthentication
        AuthLog SysLogWLANAuthentication
        AcctLogFileName %L/radiator_WLANacct
</Handler>
#



and the log output of the request


Sat Apr 24 04:00:02 2010: NOTICE: SIGHUP received: restarting
Sat Apr 24 04:00:02 2010: DEBUG: include /opt/radiator/etc/radiator_log.cfg
Sat Apr 24 04:00:02 2010: DEBUG: include 
/opt/radiator/etc/clients/radiator_WLAN.cfg
Sat Apr 24 04:00:02 2010: DEBUG: include 
/opt/radiator/etc/radiator_authby.cfg
Sat Apr 24 04:00:02 2010: DEBUG: include 
/opt/radiator/etc/radiator_authlog.cfg
Sat Apr 24 04:00:02 2010: DEBUG: include 
/opt/radiator/etc/radiator_handler.cfg
Sat Apr 24 04:00:02 2010: DEBUG: Finished reading configuration file 
'/opt/radiator/etc/radiator_WLAN.cfg'
Sat Apr 24 04:00:02 2010: DEBUG: Reading dictionary file 
'/opt/radiator/etc/dictionary'
Sat Apr 24 04:00:02 2010: DEBUG: Creating authentication port 0.0.0.0:11812
Sat Apr 24 04:00:02 2010: DEBUG: Creating accounting port 0.0.0.0:11813
Sat Apr 24 04:00:02 2010: NOTICE: Server started: Radiator 4.5 on radprod1

.....

Fri Apr 23 11:35:58 2010: DEBUG: Packet dump:
*** Received from 10.7.96.21 port 32768 ....
Code:       Access-Request
Identifier: 195
Authentic:  <207><142><194><3>W<254>'-<23><147>p<151><145><155><254><2>
Attributes:
        User-Name = "host/host1.domain.com"
        Calling-Station-Id = "00-1c-bf-a2-d5-f5"
        Called-Station-Id = "00-19-07-8c-92-90:D77yZsCpy6Cyh95Q8!"
        NAS-Port = 29
        NAS-IP-Address = 10.7.96.21
        NAS-Identifier = "HCESB991"
        Airespace-WLAN-Id = 1
        Service-Type = Framed-User
        Framed-MTU = 1300
        NAS-Port-Type = Wireless-IEEE-802-11
        Tunnel-Type = 0:VLAN
        Tunnel-Medium-Type = 0:802
        Tunnel-Private-Group-ID = 662
        EAP-Message =
<2><9><4><187><13><0>?<208><0>2`~<237><239><187><8><196><225>9<167>[Tz<12>.<
153><170><24><184><239><174>$<147><236>*<215><177><218>&<18><136><233>yT<194
><18><182><27><172>u<187>?<200>B<16>x<243>;W<193><255><170><8><134><29><9><2
29>eh,<225><198><170><223><222><163><226>F<7><138>$<161><160><221><24><225><
210>i<143><216><26><149><162>N<132><183><201>n<181>f2f<187><165>D<252><208><
6>b|<151>*<250><20><171><234><200><149>;<165><30>fo<168><169><154><185><132>
<196><212><135>M<236>S<161><193><24><239>{)t<2><145>=<218>;<234><142><17>r0<
245>[!<131><185><216><219><4>]<189><23><219>$<149><168><231><12><170><143><1
47>N<169>d<188><169>b<14><243>Y<127><246>g<14><226>/-<191><138>}v<202><152><
210>3<156><161>(m<0>]<28>Yh<201><239>u<254><168>
I<18><161><245><158><143><193><2><3><1><0><1><163><130><1>~0<130><1>z0<29><6
><3>U<29><14><4><22><4><20><163><161><216><192><155><251>Tb<226><148>0<232>
        EAP-Message =
<226>|N<204><130><192><225><147>0<31><6><3>U<29>#<4><24>0<22><128><20><206><
148><206><139>J<145>?<173><19>g<214><174>E<145>}7i<227><226><179>0<18><6><3>
U<29><19><1><1><255><4><8>0<6><1><1><255><2><1><0>0<14><6><3>U<29><15><1><1>
<255><4><4><3><2><1><6>0j<6><3>U<29>
<4>c0a0_<6><11>+<6><1><4><1><143>H<10><1><11><2>0P0N<6><8>+<6><1><5><5><7><2
><2>0B<26>@This certificate is for testing only - do not use in
production!0<129><167><6><3>U<29><31><4><129><159>0<129><156>0<129><153><160
><129><150><160><129><147><134><129><144>ldap://ldapd1.domain.com:389/CN=
        EAP-Message =
Root%20TEST%20CA%202?certificateRevocationList?base0<13><6><9>*<134>H
<134><247><13><1><1><5><5><0><3>
<130><1><1><0>}<166><195>-<168><146>J<253><155><202><29><176><29>U<224><203>
<151><219><248>o<191>o<198>4<4>l<196>V<158>/<216><201><226><13>\;^<1>#h<0><2
6><28><249><197><234><163><176><230><207><132>M<245><193><168>Y<200><231>-w<
160><127><7><166><139><141>k<151>i<231><1<153><248>R<3><23><240><29><209><17
><135><172><143><216><11><238>%<237>jUT<208><239><228><186><168><235><162><2
18><184><23><141><131>9<157>Pd<176>}=<26><225>u@<142>
<209><8>l<229><248>t><207>.<173><250><19>=c
        EAP-Message =
<250><132><139>@<181><150><173><174>v<191><192><204><215><181><139><183><240
>]W.<2>a<243>%f<16><152><28>S<179><25><210>QL<250><2><213>T<151>=<21><221>e<
141>]<205>d<20>k<196><220>X<155><239><153><13><2><225><169><253><170><193>V<
155><5><19>o<164><170><222><28><244><132><246><<9><195><173><167>+<27><172><
195>|<128><235><154><195>3q<171>K<249>a<203><132>(<199><146>mJ<194><1><234><
9>R<155>;Is<255><156><130>X<169><20><243>.<135>cze<196><17><148><16><0><0><1
30><0><128><150><251>j}<144><131><<23>?<170>un<152><15>:x<135><243><214><136
><235><150>J:h<204>u(<189>sR<241><10><157><131><176><144><145><169>po<21><25
5><181>b<160>Y<236><135><243><228>^<149><127><6>$~<156><127>{<206>/<186><31>
H<191><31><201>8<167>><23><176><8><243><13><25><31><169><19><15><175><6>Qy5<
22>P<165><173>r<220><184>h<195>Z7<140><248>31C<142><138>%EG<169>4-!?><201>,<
196>g{+\|<211>
        EAP-Message =
Ak<227><241><183>\<15><0><0><130><0><128><134><137>h<184><19>w<7>b7ai+<26><2
26><202>O<155>s_N<8><202><208><232><243><6><160><153><251>T<9>:<3><151><224>
<19><213><30><200>Nsjd<222>/j<208>%<10><215><213><211><240><150>2 at L}<15>H{(s
<164><180><225><25><28>8<215><184><183>M<233><243>l<20>b<8><23><173><6><251>
<176><6><156><246>m<6><244><7><246><29><217><216>l*0<152>R<184><30><17>H<133
>d<217><233><237><199>"<217><4><139>i<22><2><27><166>bH-<136><181>DI<135>8<2
0><3><1><0><1><1><22><3><1><0>0L,H<136><133><149>5K<171><157>A<208><a<247><2
26><157>Dac[<197>=<177><193><8>&<231><216><175><200><23>v<241>z<250><29>_<21
>h<30>z<17><22><169><188><170><148>
        Message-Authenticator = 
<168>)F<184>T<230>;9<242><210><14>X<17><232><163><145>

Fri Apr 23 11:35:58 2010: DEBUG: Handling request with Handler 
'User-Name=/host\/.+/, DeviceType="Wlan",DeviceGroup="global"'
Fri Apr 23 11:35:58 2010: DEBUG: Rewrote user name to 
host1.domain.com at unknown
Fri Apr 23 11:35:58 2010: DEBUG:  Deleting session for 
host/host1.domain.com, 10.37.196.121, 29
Fri Apr 23 11:35:58 2010: DEBUG: Handling with Radius::AuthFILE:EapTLSDevice
Fri Apr 23 11:35:58 2010: DEBUG: Handling with EAP: code 2, 9, 1211, 13
Fri Apr 23 11:35:58 2010: DEBUG: Response type 13
Fri Apr 23 11:35:58 2010: DEBUG: Certificate Subject Name 
is/DC=com/DC=DOMAIN/O=TEST/CN=host1.domain.com
Fri Apr 23 11:35:58 2010: DEBUG: Matched certificate CN host1.domain.com 
with User-Name host1.domain.com at unknown or identity host/host1.domain.com
Fri Apr 23 11:35:58 2010: DEBUG: Radius::AuthFILE looks for match with 
host1.domain.com [host/host1.domain.com]
Fri Apr 23 11:35:58 2010: DEBUG: Radius::AuthFILE REJECT: No such user: 
host1.domain.com [host/host1.domain.com]
Fri Apr 23 11:35:58 2010: DEBUG: Radius::AuthFILE looks for match with 
DEFAULT [host/host1.domain.com]
Fri Apr 23 11:35:58 2010: DEBUG: Radius::AuthFILE ACCEPT: : DEFAULT 
[host/host1.domain.com]
Fri Apr 23 11:35:58 2010: DEBUG: EAPTLS_CertificateVerifyHook matchDN: 
host1.domain.com
Fri Apr 23 11:35:58 2010: DEBUG: EAPTLS_CertificateVerifyHook issuer: 
/CN=Server TEST CA 2
Fri Apr 23 11:35:58 2010: DEBUG: EAPTLS_CertificateVerifyHook EKU:clientAuth
Fri Apr 23 11:35:58 2010: ERR: EAP TLS error: -1, 1, 8640, 0,  14579: 
1 -error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad 
record mac
Fri Apr 23 11:35:58 2010: DEBUG: EAP result: 1, EAP TLS error
Fri Apr 23 11:35:58 2010: DEBUG: AuthBy FILE result: REJECT, EAP TLS error
Fri Apr 23 11:35:58 2010: INFO: Access rejected for 
host1.domain.com at unknown: EAP TLS error
Fri Apr 23 11:35:58 2010: DEBUG: Packet dump:
*** Sending to 10.7.96.21 port 32768 ....
Code:       Access-Reject
Identifier: 195
Authentic: 
<230><254>)<134>o<193><183><12><144><8><157><131><172><4><213><209>
Attributes:
        EAP-Message = <4><9><0><4>
        Message-Authenticator = 
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
        Reply-Message = "Request Denied"



Regards
Markus



----- Original Message ----- 
From: "Hugh Irvine" <hugh at open.com.au>
To: "Markus Moeller" <huaraz at moeller.plus.com>
Cc: <radiator at open.com.au>
Sent: Saturday, April 24, 2010 12:27 AM
Subject: Re: [RADIATOR] EAP TLS and XP machine authentication



Hello Markus -

Can you please send me a copy of the configuration file and a more complete 
trace 4 debug showing more of what is happening?

thanks and regards

Hugh


On 23 Apr 2010, at 19:33, Markus Moeller wrote:

> Hi,
>
>    I try to use 802.1x with XP and machine authentication.  I can see the 
> radius request with username host/<fqdn> and then I see the radius server 
> failing because the CN nor the subjectaltname(= <fqdn> only)  match the 
> username.
>
> Fri Apr 23 09:59:40 2010: DEBUG: Response type 13
> Fri Apr 23 09:59:40 2010: DEBUG: Certificate Subject Name is 
> /DC=com/DC=DOMAIN/O=TEST/CN=host1.domain.com
> Fri Apr 23 09:59:40 2010: DEBUG: Checking subjectAltName type 2, value 
> host1.domain.com
> Fri Apr 23 09:59:40 2010: INFO: EAP TLS client certificate subject 
> /DC=com/DC=DOMAIN/O=TEST/CN=host1.domain.com does not match
> user name host/host1.domain.com at unknown or identity host/host1.domain.com
> Fri Apr 23 09:59:40 2010: INFO: EAP TLS certificate verification failed: 
> application verification failure,  14579: 1 - error:140890B2:SSL 
> routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
>
>
> What is the right way to configure Radiator or how should the certificate 
> be created ?
>
> Thank you
> Markus
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator



NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive 
(www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

More information about the radiator mailing list