[RADIATOR] EAP TLS and XP machine authentication
Hugh Irvine
hugh at open.com.au
Tue Apr 27 01:43:47 CDT 2010
Hello Markus -
Sorry to be dense, but what exactly are you wanting to do? and what exactly are you expecting to happen?
I'm not understanding your requirements, nor the results you show below.
You can send to me directly if you prefer.
regards
Hugh
On 24 Apr 2010, at 21:26, Markus Moeller wrote:
> Hi Hugh,
>
> here is the Authby definition
>
> #
> <AuthBy FILE>
> Identifier EapTLSDevice
> Filename %D/Devices
>
> EAPType TLS
>
> #
> # WLAN Additional Certificate Check
> #
> EAPTLS_CertificateVerifyHook file:"%D/EAPTLS_Certificate_check_Device.pl"
>
> #
> # WLAN root CAs
> #
> EAPTLS_CAFile %D/certs/CA/ALL-ca-certs.pem
>
> #
> # Radiator Cert
> #
> EAPTLS_CertificateFile %D/certs/wlancert.pem
> EAPTLS_CertificateType PEM
>
> EAPTLS_PrivateKeyFile %D/certs/wlankey.pem
> # EAPTLS_PrivateKeyPassword 1Wv7HpRG5C
>
> EAPTLS_MaxFragmentSize 1000
>
> #
> # WLAN CRLs
> #
> EAPTLS_CRLCheck
> EAPTLS_CRLFile %D/certs/crls/Root_CA_2.pem
> EAPTLS_CRLFile %D/certs/crls/Root_CA_3.pem
> EAPTLS_CRLFile %D/certs/crls/Server_CA_2.pem
> EAPTLS_CRLFile %D/certs/crls/TLS_CA_1.pem
>
> # EAPTLS_CRLFile %D/certs/revocations.pem
> #
> AutoMPPEKeys
> </AuthBy>
>
> the handler
>
> #
> <Handler User-Name=/host\/.+/, DeviceType="Wlan",DeviceGroup="global" >
> # Mark request as WLAN request
> RewriteUsername s/host\/(.*)/$1/
> AddToRequestIfNotExist Request-Protocol=EAP-TLS
> AuthByPolicy ContinueWhileAccept
> AuthBy EapTLSDevice
> AuthLog LogWLANAuthentication
> AuthLog SysLogWLANAuthentication
> AcctLogFileName %L/radiator_WLANacct
> </Handler>
> #
>
>
>
> and the log output of the request
>
>
> Sat Apr 24 04:00:02 2010: NOTICE: SIGHUP received: restarting
> Sat Apr 24 04:00:02 2010: DEBUG: include /opt/radiator/etc/radiator_log.cfg
> Sat Apr 24 04:00:02 2010: DEBUG: include /opt/radiator/etc/clients/radiator_WLAN.cfg
> Sat Apr 24 04:00:02 2010: DEBUG: include /opt/radiator/etc/radiator_authby.cfg
> Sat Apr 24 04:00:02 2010: DEBUG: include /opt/radiator/etc/radiator_authlog.cfg
> Sat Apr 24 04:00:02 2010: DEBUG: include /opt/radiator/etc/radiator_handler.cfg
> Sat Apr 24 04:00:02 2010: DEBUG: Finished reading configuration file '/opt/radiator/etc/radiator_WLAN.cfg'
> Sat Apr 24 04:00:02 2010: DEBUG: Reading dictionary file '/opt/radiator/etc/dictionary'
> Sat Apr 24 04:00:02 2010: DEBUG: Creating authentication port 0.0.0.0:11812
> Sat Apr 24 04:00:02 2010: DEBUG: Creating accounting port 0.0.0.0:11813
> Sat Apr 24 04:00:02 2010: NOTICE: Server started: Radiator 4.5 on radprod1
>
> .....
>
> Fri Apr 23 11:35:58 2010: DEBUG: Packet dump:
> *** Received from 10.7.96.21 port 32768 ....
> Code: Access-Request
> Identifier: 195
> Authentic: <207><142><194><3>W<254>'-<23><147>p<151><145><155><254><2>
> Attributes:
> User-Name = "host/host1.domain.com"
> Calling-Station-Id = "00-1c-bf-a2-d5-f5"
> Called-Station-Id = "00-19-07-8c-92-90:D77yZsCpy6Cyh95Q8!"
> NAS-Port = 29
> NAS-IP-Address = 10.7.96.21
> NAS-Identifier = "HCESB991"
> Airespace-WLAN-Id = 1
> Service-Type = Framed-User
> Framed-MTU = 1300
> NAS-Port-Type = Wireless-IEEE-802-11
> Tunnel-Type = 0:VLAN
> Tunnel-Medium-Type = 0:802
> Tunnel-Private-Group-ID = 662
> EAP-Message =
> <2><9><4><187><13><0>?<208><0>2`~<237><239><187><8><196><225>9<167>[Tz<12>.<
> 153><170><24><184><239><174>$<147><236>*<215><177><218>&<18><136><233>yT<194
>> <18><182><27><172>u<187>?<200>B<16>x<243>;W<193><255><170><8><134><29><9><2
> 29>eh,<225><198><170><223><222><163><226>F<7><138>$<161><160><221><24><225><
> 210>i<143><216><26><149><162>N<132><183><201>n<181>f2f<187><165>D<252><208><
> 6>b|<151>*<250><20><171><234><200><149>;<165><30>fo<168><169><154><185><132>
> <196><212><135>M<236>S<161><193><24><239>{)t<2><145>=<218>;<234><142><17>r0<
> 245>[!<131><185><216><219><4>]<189><23><219>$<149><168><231><12><170><143><1
> 47>N<169>d<188><169>b<14><243>Y<127><246>g<14><226>/-<191><138>}v<202><152><
> 210>3<156><161>(m<0>]<28>Yh<201><239>u<254><168>
> I<18><161><245><158><143><193><2><3><1><0><1><163><130><1>~0<130><1>z0<29><6
>> <3>U<29><14><4><22><4><20><163><161><216><192><155><251>Tb<226><148>0<232>
> EAP-Message =
> <226>|N<204><130><192><225><147>0<31><6><3>U<29>#<4><24>0<22><128><20><206><
> 148><206><139>J<145>?<173><19>g<214><174>E<145>}7i<227><226><179>0<18><6><3>
> U<29><19><1><1><255><4><8>0<6><1><1><255><2><1><0>0<14><6><3>U<29><15><1><1>
> <255><4><4><3><2><1><6>0j<6><3>U<29>
> <4>c0a0_<6><11>+<6><1><4><1><143>H<10><1><11><2>0P0N<6><8>+<6><1><5><5><7><2
>> <2>0B<26>@This certificate is for testing only - do not use in
> production!0<129><167><6><3>U<29><31><4><129><159>0<129><156>0<129><153><160
>> <129><150><160><129><147><134><129><144>ldap://ldapd1.domain.com:389/CN=
> EAP-Message =
> Root%20TEST%20CA%202?certificateRevocationList?base0<13><6><9>*<134>H
> <134><247><13><1><1><5><5><0><3>
> <130><1><1><0>}<166><195>-<168><146>J<253><155><202><29><176><29>U<224><203>
> <151><219><248>o<191>o<198>4<4>l<196>V<158>/<216><201><226><13>\;^<1>#h<0><2
> 6><28><249><197><234><163><176><230><207><132>M<245><193><168>Y<200><231>-w<
> 160><127><7><166><139><141>k<151>i<231><1<153><248>R<3><23><240><29><209><17
>> <135><172><143><216><11><238>%<237>jUT<208><239><228><186><168><235><162><2
> 18><184><23><141><131>9<157>Pd<176>}=<26><225>u@<142>
> <209><8>l<229><248>t><207>.<173><250><19>=c
> EAP-Message =
> <250><132><139>@<181><150><173><174>v<191><192><204><215><181><139><183><240
>> ]W.<2>a<243>%f<16><152><28>S<179><25><210>QL<250><2><213>T<151>=<21><221>e<
> 141>]<205>d<20>k<196><220>X<155><239><153><13><2><225><169><253><170><193>V<
> 155><5><19>o<164><170><222><28><244><132><246><<9><195><173><167>+<27><172><
> 195>|<128><235><154><195>3q<171>K<249>a<203><132>(<199><146>mJ<194><1><234><
> 9>R<155>;Is<255><156><130>X<169><20><243>.<135>cze<196><17><148><16><0><0><1
> 30><0><128><150><251>j}<144><131><<23>?<170>un<152><15>:x<135><243><214><136
>> <235><150>J:h<204>u(<189>sR<241><10><157><131><176><144><145><169>po<21><25
> 5><181>b<160>Y<236><135><243><228>^<149><127><6>$~<156><127>{<206>/<186><31>
> H<191><31><201>8<167>><23><176><8><243><13><25><31><169><19><15><175><6>Qy5<
> 22>P<165><173>r<220><184>h<195>Z7<140><248>31C<142><138>%EG<169>4-!?><201>,<
> 196>g{+\|<211>
> EAP-Message =
> Ak<227><241><183>\<15><0><0><130><0><128><134><137>h<184><19>w<7>b7ai+<26><2
> 26><202>O<155>s_N<8><202><208><232><243><6><160><153><251>T<9>:<3><151><224>
> <19><213><30><200>Nsjd<222>/j<208>%<10><215><213><211><240><150>2 at L}<15>H{(s
> <164><180><225><25><28>8<215><184><183>M<233><243>l<20>b<8><23><173><6><251>
> <176><6><156><246>m<6><244><7><246><29><217><216>l*0<152>R<184><30><17>H<133
>> d<217><233><237><199>"<217><4><139>i<22><2><27><166>bH-<136><181>DI<135>8<2
> 0><3><1><0><1><1><22><3><1><0>0L,H<136><133><149>5K<171><157>A<208><a<247><2
> 26><157>Dac[<197>=<177><193><8>&<231><216><175><200><23>v<241>z<250><29>_<21
>> h<30>z<17><22><169><188><170><148>
> Message-Authenticator = <168>)F<184>T<230>;9<242><210><14>X<17><232><163><145>
>
> Fri Apr 23 11:35:58 2010: DEBUG: Handling request with Handler 'User-Name=/host\/.+/, DeviceType="Wlan",DeviceGroup="global"'
> Fri Apr 23 11:35:58 2010: DEBUG: Rewrote user name to host1.domain.com at unknown
> Fri Apr 23 11:35:58 2010: DEBUG: Deleting session for host/host1.domain.com, 10.37.196.121, 29
> Fri Apr 23 11:35:58 2010: DEBUG: Handling with Radius::AuthFILE:EapTLSDevice
> Fri Apr 23 11:35:58 2010: DEBUG: Handling with EAP: code 2, 9, 1211, 13
> Fri Apr 23 11:35:58 2010: DEBUG: Response type 13
> Fri Apr 23 11:35:58 2010: DEBUG: Certificate Subject Name is/DC=com/DC=DOMAIN/O=TEST/CN=host1.domain.com
> Fri Apr 23 11:35:58 2010: DEBUG: Matched certificate CN host1.domain.com with User-Name host1.domain.com at unknown or identity host/host1.domain.com
> Fri Apr 23 11:35:58 2010: DEBUG: Radius::AuthFILE looks for match with host1.domain.com [host/host1.domain.com]
> Fri Apr 23 11:35:58 2010: DEBUG: Radius::AuthFILE REJECT: No such user: host1.domain.com [host/host1.domain.com]
> Fri Apr 23 11:35:58 2010: DEBUG: Radius::AuthFILE looks for match with DEFAULT [host/host1.domain.com]
> Fri Apr 23 11:35:58 2010: DEBUG: Radius::AuthFILE ACCEPT: : DEFAULT [host/host1.domain.com]
> Fri Apr 23 11:35:58 2010: DEBUG: EAPTLS_CertificateVerifyHook matchDN: host1.domain.com
> Fri Apr 23 11:35:58 2010: DEBUG: EAPTLS_CertificateVerifyHook issuer: /CN=Server TEST CA 2
> Fri Apr 23 11:35:58 2010: DEBUG: EAPTLS_CertificateVerifyHook EKU:clientAuth
> Fri Apr 23 11:35:58 2010: ERR: EAP TLS error: -1, 1, 8640, 0, 14579: 1 -error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac
> Fri Apr 23 11:35:58 2010: DEBUG: EAP result: 1, EAP TLS error
> Fri Apr 23 11:35:58 2010: DEBUG: AuthBy FILE result: REJECT, EAP TLS error
> Fri Apr 23 11:35:58 2010: INFO: Access rejected for host1.domain.com at unknown: EAP TLS error
> Fri Apr 23 11:35:58 2010: DEBUG: Packet dump:
> *** Sending to 10.7.96.21 port 32768 ....
> Code: Access-Reject
> Identifier: 195
> Authentic: <230><254>)<134>o<193><183><12><144><8><157><131><172><4><213><209>
> Attributes:
> EAP-Message = <4><9><0><4>
> Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> Reply-Message = "Request Denied"
>
>
>
> Regards
> Markus
>
>
>
> ----- Original Message ----- From: "Hugh Irvine" <hugh at open.com.au>
> To: "Markus Moeller" <huaraz at moeller.plus.com>
> Cc: <radiator at open.com.au>
> Sent: Saturday, April 24, 2010 12:27 AM
> Subject: Re: [RADIATOR] EAP TLS and XP machine authentication
>
>
>
> Hello Markus -
>
> Can you please send me a copy of the configuration file and a more complete trace 4 debug showing more of what is happening?
>
> thanks and regards
>
> Hugh
>
>
> On 23 Apr 2010, at 19:33, Markus Moeller wrote:
>
>> Hi,
>>
>> I try to use 802.1x with XP and machine authentication. I can see the radius request with username host/<fqdn> and then I see the radius server failing because the CN nor the subjectaltname(= <fqdn> only) match the username.
>>
>> Fri Apr 23 09:59:40 2010: DEBUG: Response type 13
>> Fri Apr 23 09:59:40 2010: DEBUG: Certificate Subject Name is /DC=com/DC=DOMAIN/O=TEST/CN=host1.domain.com
>> Fri Apr 23 09:59:40 2010: DEBUG: Checking subjectAltName type 2, value host1.domain.com
>> Fri Apr 23 09:59:40 2010: INFO: EAP TLS client certificate subject /DC=com/DC=DOMAIN/O=TEST/CN=host1.domain.com does not match
>> user name host/host1.domain.com at unknown or identity host/host1.domain.com
>> Fri Apr 23 09:59:40 2010: INFO: EAP TLS certificate verification failed: application verification failure, 14579: 1 - error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
>>
>>
>> What is the right way to configure Radiator or how should the certificate be created ?
>>
>> Thank you
>> Markus
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
>
>
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> Includes support for reliable RADIUS transport (RadSec),
> and DIAMETER translation agent.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
>
>
>
>
>
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
More information about the radiator
mailing list