[RADIATOR] EAP TLS and XP machine authentication
Markus Moeller
huaraz at moeller.plus.com
Sat Apr 24 06:34:47 CDT 2010
Hi Hugh,
Sorry I forgot to say in my previous mail that I solved it via a rewrite
rule (as you can see from the log), but got another error which I have to
investigate. Is the rewrite the right thing to do ?
Regards
Markus
----- Original Message -----
From: "Markus Moeller" <huaraz at moeller.plus.com>
To: "Hugh Irvine" <hugh at open.com.au>
Cc: <radiator at open.com.au>
Sent: Saturday, April 24, 2010 12:26 PM
Subject: Re: [RADIATOR] EAP TLS and XP machine authentication
> Hi Hugh,
>
> here is the Authby definition
>
> #
> <AuthBy FILE>
> Identifier EapTLSDevice
> Filename %D/Devices
>
> EAPType TLS
>
> #
> # WLAN Additional Certificate Check
> #
> EAPTLS_CertificateVerifyHook file:"%D/EAPTLS_Certificate_check_Device.pl"
>
> #
> # WLAN root CAs
> #
> EAPTLS_CAFile %D/certs/CA/ALL-ca-certs.pem
>
> #
> # Radiator Cert
> #
> EAPTLS_CertificateFile %D/certs/wlancert.pem
> EAPTLS_CertificateType PEM
>
> EAPTLS_PrivateKeyFile %D/certs/wlankey.pem
> # EAPTLS_PrivateKeyPassword 1Wv7HpRG5C
>
> EAPTLS_MaxFragmentSize 1000
>
> #
> # WLAN CRLs
> #
> EAPTLS_CRLCheck
> EAPTLS_CRLFile %D/certs/crls/Root_CA_2.pem
> EAPTLS_CRLFile %D/certs/crls/Root_CA_3.pem
> EAPTLS_CRLFile %D/certs/crls/Server_CA_2.pem
> EAPTLS_CRLFile %D/certs/crls/TLS_CA_1.pem
>
> # EAPTLS_CRLFile %D/certs/revocations.pem
> #
> AutoMPPEKeys
> </AuthBy>
>
> the handler
>
> #
> <Handler User-Name=/host\/.+/, DeviceType="Wlan",DeviceGroup="global" >
> # Mark request as WLAN request
> RewriteUsername s/host\/(.*)/$1/
> AddToRequestIfNotExist Request-Protocol=EAP-TLS
> AuthByPolicy ContinueWhileAccept
> AuthBy EapTLSDevice
> AuthLog LogWLANAuthentication
> AuthLog SysLogWLANAuthentication
> AcctLogFileName %L/radiator_WLANacct
> </Handler>
> #
>
>
>
> and the log output of the request
>
>
> Sat Apr 24 04:00:02 2010: NOTICE: SIGHUP received: restarting
> Sat Apr 24 04:00:02 2010: DEBUG: include
> /opt/radiator/etc/radiator_log.cfg
> Sat Apr 24 04:00:02 2010: DEBUG: include
> /opt/radiator/etc/clients/radiator_WLAN.cfg
> Sat Apr 24 04:00:02 2010: DEBUG: include
> /opt/radiator/etc/radiator_authby.cfg
> Sat Apr 24 04:00:02 2010: DEBUG: include
> /opt/radiator/etc/radiator_authlog.cfg
> Sat Apr 24 04:00:02 2010: DEBUG: include
> /opt/radiator/etc/radiator_handler.cfg
> Sat Apr 24 04:00:02 2010: DEBUG: Finished reading configuration file
> '/opt/radiator/etc/radiator_WLAN.cfg'
> Sat Apr 24 04:00:02 2010: DEBUG: Reading dictionary file
> '/opt/radiator/etc/dictionary'
> Sat Apr 24 04:00:02 2010: DEBUG: Creating authentication port
> 0.0.0.0:11812
> Sat Apr 24 04:00:02 2010: DEBUG: Creating accounting port 0.0.0.0:11813
> Sat Apr 24 04:00:02 2010: NOTICE: Server started: Radiator 4.5 on radprod1
>
> .....
>
> Fri Apr 23 11:35:58 2010: DEBUG: Packet dump:
> *** Received from 10.7.96.21 port 32768 ....
> Code: Access-Request
> Identifier: 195
> Authentic: <207><142><194><3>W<254>'-<23><147>p<151><145><155><254><2>
> Attributes:
> User-Name = "host/host1.domain.com"
> Calling-Station-Id = "00-1c-bf-a2-d5-f5"
> Called-Station-Id = "00-19-07-8c-92-90:D77yZsCpy6Cyh95Q8!"
> NAS-Port = 29
> NAS-IP-Address = 10.7.96.21
> NAS-Identifier = "HCESB991"
> Airespace-WLAN-Id = 1
> Service-Type = Framed-User
> Framed-MTU = 1300
> NAS-Port-Type = Wireless-IEEE-802-11
> Tunnel-Type = 0:VLAN
> Tunnel-Medium-Type = 0:802
> Tunnel-Private-Group-ID = 662
> EAP-Message =
> <2><9><4><187><13><0>?<208><0>2`~<237><239><187><8><196><225>9<167>[Tz<12>.<
> 153><170><24><184><239><174>$<147><236>*<215><177><218>&<18><136><233>yT<194
>><18><182><27><172>u<187>?<200>B<16>x<243>;W<193><255><170><8><134><29><9><2
> 29>eh,<225><198><170><223><222><163><226>F<7><138>$<161><160><221><24><225><
> 210>i<143><216><26><149><162>N<132><183><201>n<181>f2f<187><165>D<252><208><
> 6>b|<151>*<250><20><171><234><200><149>;<165><30>fo<168><169><154><185><132>
> <196><212><135>M<236>S<161><193><24><239>{)t<2><145>=<218>;<234><142><17>r0<
> 245>[!<131><185><216><219><4>]<189><23><219>$<149><168><231><12><170><143><1
> 47>N<169>d<188><169>b<14><243>Y<127><246>g<14><226>/-<191><138>}v<202><152><
> 210>3<156><161>(m<0>]<28>Yh<201><239>u<254><168>
> I<18><161><245><158><143><193><2><3><1><0><1><163><130><1>~0<130><1>z0<29><6
>><3>U<29><14><4><22><4><20><163><161><216><192><155><251>Tb<226><148>0<232>
> EAP-Message =
> <226>|N<204><130><192><225><147>0<31><6><3>U<29>#<4><24>0<22><128><20><206><
> 148><206><139>J<145>?<173><19>g<214><174>E<145>}7i<227><226><179>0<18><6><3>
> U<29><19><1><1><255><4><8>0<6><1><1><255><2><1><0>0<14><6><3>U<29><15><1><1>
> <255><4><4><3><2><1><6>0j<6><3>U<29>
> <4>c0a0_<6><11>+<6><1><4><1><143>H<10><1><11><2>0P0N<6><8>+<6><1><5><5><7><2
>><2>0B<26>@This certificate is for testing only - do not use in
> production!0<129><167><6><3>U<29><31><4><129><159>0<129><156>0<129><153><160
>><129><150><160><129><147><134><129><144>ldap://ldapd1.domain.com:389/CN=
> EAP-Message =
> Root%20TEST%20CA%202?certificateRevocationList?base0<13><6><9>*<134>H
> <134><247><13><1><1><5><5><0><3>
> <130><1><1><0>}<166><195>-<168><146>J<253><155><202><29><176><29>U<224><203>
> <151><219><248>o<191>o<198>4<4>l<196>V<158>/<216><201><226><13>\;^<1>#h<0><2
> 6><28><249><197><234><163><176><230><207><132>M<245><193><168>Y<200><231>-w<
> 160><127><7><166><139><141>k<151>i<231><1<153><248>R<3><23><240><29><209><17
>><135><172><143><216><11><238>%<237>jUT<208><239><228><186><168><235><162><2
> 18><184><23><141><131>9<157>Pd<176>}=<26><225>u@<142>
> <209><8>l<229><248>t><207>.<173><250><19>=c
> EAP-Message =
> <250><132><139>@<181><150><173><174>v<191><192><204><215><181><139><183><240
>>]W.<2>a<243>%f<16><152><28>S<179><25><210>QL<250><2><213>T<151>=<21><221>e<
> 141>]<205>d<20>k<196><220>X<155><239><153><13><2><225><169><253><170><193>V<
> 155><5><19>o<164><170><222><28><244><132><246><<9><195><173><167>+<27><172><
> 195>|<128><235><154><195>3q<171>K<249>a<203><132>(<199><146>mJ<194><1><234><
> 9>R<155>;Is<255><156><130>X<169><20><243>.<135>cze<196><17><148><16><0><0><1
> 30><0><128><150><251>j}<144><131><<23>?<170>un<152><15>:x<135><243><214><136
>><235><150>J:h<204>u(<189>sR<241><10><157><131><176><144><145><169>po<21><25
> 5><181>b<160>Y<236><135><243><228>^<149><127><6>$~<156><127>{<206>/<186><31>
> H<191><31><201>8<167>><23><176><8><243><13><25><31><169><19><15><175><6>Qy5<
> 22>P<165><173>r<220><184>h<195>Z7<140><248>31C<142><138>%EG<169>4-!?><201>,<
> 196>g{+\|<211>
> EAP-Message =
> Ak<227><241><183>\<15><0><0><130><0><128><134><137>h<184><19>w<7>b7ai+<26><2
> 26><202>O<155>s_N<8><202><208><232><243><6><160><153><251>T<9>:<3><151><224>
> <19><213><30><200>Nsjd<222>/j<208>%<10><215><213><211><240><150>2 at L}<15>H{(s
> <164><180><225><25><28>8<215><184><183>M<233><243>l<20>b<8><23><173><6><251>
> <176><6><156><246>m<6><244><7><246><29><217><216>l*0<152>R<184><30><17>H<133
>>d<217><233><237><199>"<217><4><139>i<22><2><27><166>bH-<136><181>DI<135>8<2
> 0><3><1><0><1><1><22><3><1><0>0L,H<136><133><149>5K<171><157>A<208><a<247><2
> 26><157>Dac[<197>=<177><193><8>&<231><216><175><200><23>v<241>z<250><29>_<21
>>h<30>z<17><22><169><188><170><148>
> Message-Authenticator =
> <168>)F<184>T<230>;9<242><210><14>X<17><232><163><145>
>
> Fri Apr 23 11:35:58 2010: DEBUG: Handling request with Handler
> 'User-Name=/host\/.+/, DeviceType="Wlan",DeviceGroup="global"'
> Fri Apr 23 11:35:58 2010: DEBUG: Rewrote user name to
> host1.domain.com at unknown
> Fri Apr 23 11:35:58 2010: DEBUG: Deleting session for
> host/host1.domain.com, 10.37.196.121, 29
> Fri Apr 23 11:35:58 2010: DEBUG: Handling with
> Radius::AuthFILE:EapTLSDevice
> Fri Apr 23 11:35:58 2010: DEBUG: Handling with EAP: code 2, 9, 1211, 13
> Fri Apr 23 11:35:58 2010: DEBUG: Response type 13
> Fri Apr 23 11:35:58 2010: DEBUG: Certificate Subject Name
> is/DC=com/DC=DOMAIN/O=TEST/CN=host1.domain.com
> Fri Apr 23 11:35:58 2010: DEBUG: Matched certificate CN host1.domain.com
> with User-Name host1.domain.com at unknown or identity host/host1.domain.com
> Fri Apr 23 11:35:58 2010: DEBUG: Radius::AuthFILE looks for match with
> host1.domain.com [host/host1.domain.com]
> Fri Apr 23 11:35:58 2010: DEBUG: Radius::AuthFILE REJECT: No such user:
> host1.domain.com [host/host1.domain.com]
> Fri Apr 23 11:35:58 2010: DEBUG: Radius::AuthFILE looks for match with
> DEFAULT [host/host1.domain.com]
> Fri Apr 23 11:35:58 2010: DEBUG: Radius::AuthFILE ACCEPT: : DEFAULT
> [host/host1.domain.com]
> Fri Apr 23 11:35:58 2010: DEBUG: EAPTLS_CertificateVerifyHook matchDN:
> host1.domain.com
> Fri Apr 23 11:35:58 2010: DEBUG: EAPTLS_CertificateVerifyHook issuer:
> /CN=Server TEST CA 2
> Fri Apr 23 11:35:58 2010: DEBUG: EAPTLS_CertificateVerifyHook
> EKU:clientAuth
> Fri Apr 23 11:35:58 2010: ERR: EAP TLS error: -1, 1, 8640, 0, 14579:
> 1 -error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad
> record mac
> Fri Apr 23 11:35:58 2010: DEBUG: EAP result: 1, EAP TLS error
> Fri Apr 23 11:35:58 2010: DEBUG: AuthBy FILE result: REJECT, EAP TLS error
> Fri Apr 23 11:35:58 2010: INFO: Access rejected for
> host1.domain.com at unknown: EAP TLS error
> Fri Apr 23 11:35:58 2010: DEBUG: Packet dump:
> *** Sending to 10.7.96.21 port 32768 ....
> Code: Access-Reject
> Identifier: 195
> Authentic:
> <230><254>)<134>o<193><183><12><144><8><157><131><172><4><213><209>
> Attributes:
> EAP-Message = <4><9><0><4>
> Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> Reply-Message = "Request Denied"
>
>
>
> Regards
> Markus
>
>
>
> ----- Original Message -----
> From: "Hugh Irvine" <hugh at open.com.au>
> To: "Markus Moeller" <huaraz at moeller.plus.com>
> Cc: <radiator at open.com.au>
> Sent: Saturday, April 24, 2010 12:27 AM
> Subject: Re: [RADIATOR] EAP TLS and XP machine authentication
>
>
>
> Hello Markus -
>
> Can you please send me a copy of the configuration file and a more
> complete
> trace 4 debug showing more of what is happening?
>
> thanks and regards
>
> Hugh
>
>
> On 23 Apr 2010, at 19:33, Markus Moeller wrote:
>
>> Hi,
>>
>> I try to use 802.1x with XP and machine authentication. I can see the
>> radius request with username host/<fqdn> and then I see the radius server
>> failing because the CN nor the subjectaltname(= <fqdn> only) match the
>> username.
>>
>> Fri Apr 23 09:59:40 2010: DEBUG: Response type 13
>> Fri Apr 23 09:59:40 2010: DEBUG: Certificate Subject Name is
>> /DC=com/DC=DOMAIN/O=TEST/CN=host1.domain.com
>> Fri Apr 23 09:59:40 2010: DEBUG: Checking subjectAltName type 2, value
>> host1.domain.com
>> Fri Apr 23 09:59:40 2010: INFO: EAP TLS client certificate subject
>> /DC=com/DC=DOMAIN/O=TEST/CN=host1.domain.com does not match
>> user name host/host1.domain.com at unknown or identity host/host1.domain.com
>> Fri Apr 23 09:59:40 2010: INFO: EAP TLS certificate verification failed:
>> application verification failure, 14579: 1 - error:140890B2:SSL
>> routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
>>
>>
>> What is the right way to configure Radiator or how should the certificate
>> be created ?
>>
>> Thank you
>> Markus
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
>
>
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive
> (www.open.com.au/archives/radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> Includes support for reliable RADIUS transport (RadSec),
> and DIAMETER translation agent.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
>
>
>
>
>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
>
>
More information about the radiator
mailing list