[RADIATOR] EAP TLS and XP machine authentication
Markus Moeller
huaraz at moeller.plus.com
Tue Apr 27 18:12:33 CDT 2010
Hi Hugh,
I am testing to authenticate devices (e.g. phones or PCs) via 802.1x to a
switch. A XP or Windows 7 PC can do 802.1x authentication as a machine or a
user. I would like to do a machine authentication using a certificate and it
looks like XP and Windows 7 is using a "username" of host/<fqdn>, but the
certificate I created is a normal server certificate with the fqdn as
subjectaltname.
So it looks to me that I have to use a rewrite rule to match the
"username" with the subjectaltname or CN. I am wondering if someone else has
done this before.
Thank you
Markus
BTW The error "decryption failed or bad record mac" is a bug in SunStudio 11
when compiling openssl. The AES cipher used by Windows 7 could not be
decrypted by SSLeay because of the SunStudio 11 bug.
----- Original Message -----
From: "Hugh Irvine" <hugh at open.com.au>
To: "Markus Moeller" <huaraz at moeller.plus.com>
Cc: <radiator at open.com.au>
Sent: Tuesday, April 27, 2010 7:43 AM
Subject: Re: [RADIATOR] EAP TLS and XP machine authentication
Hello Markus -
Sorry to be dense, but what exactly are you wanting to do? and what exactly
are you expecting to happen?
I'm not understanding your requirements, nor the results you show below.
You can send to me directly if you prefer.
regards
Hugh
On 24 Apr 2010, at 21:26, Markus Moeller wrote:
> Hi Hugh,
>
> here is the Authby definition
>
> #
> <AuthBy FILE>
> Identifier EapTLSDevice
> Filename %D/Devices
>
> EAPType TLS
>
> #
> # WLAN Additional Certificate Check
> #
> EAPTLS_CertificateVerifyHook file:"%D/EAPTLS_Certificate_check_Device.pl"
>
> #
> # WLAN root CAs
> #
> EAPTLS_CAFile %D/certs/CA/ALL-ca-certs.pem
>
> #
> # Radiator Cert
> #
> EAPTLS_CertificateFile %D/certs/wlancert.pem
> EAPTLS_CertificateType PEM
>
> EAPTLS_PrivateKeyFile %D/certs/wlankey.pem
> # EAPTLS_PrivateKeyPassword 1Wv7HpRG5C
>
> EAPTLS_MaxFragmentSize 1000
>
> #
> # WLAN CRLs
> #
> EAPTLS_CRLCheck
> EAPTLS_CRLFile %D/certs/crls/Root_CA_2.pem
> EAPTLS_CRLFile %D/certs/crls/Root_CA_3.pem
> EAPTLS_CRLFile %D/certs/crls/Server_CA_2.pem
> EAPTLS_CRLFile %D/certs/crls/TLS_CA_1.pem
>
> # EAPTLS_CRLFile %D/certs/revocations.pem
> #
> AutoMPPEKeys
> </AuthBy>
>
> the handler
>
> #
> <Handler User-Name=/host\/.+/, DeviceType="Wlan",DeviceGroup="global" >
> # Mark request as WLAN request
> RewriteUsername s/host\/(.*)/$1/
> AddToRequestIfNotExist Request-Protocol=EAP-TLS
> AuthByPolicy ContinueWhileAccept
> AuthBy EapTLSDevice
> AuthLog LogWLANAuthentication
> AuthLog SysLogWLANAuthentication
> AcctLogFileName %L/radiator_WLANacct
> </Handler>
> #
>
>
>
> and the log output of the request
>
>
> Sat Apr 24 04:00:02 2010: NOTICE: SIGHUP received: restarting
> Sat Apr 24 04:00:02 2010: DEBUG: include
> /opt/radiator/etc/radiator_log.cfg
> Sat Apr 24 04:00:02 2010: DEBUG: include
> /opt/radiator/etc/clients/radiator_WLAN.cfg
> Sat Apr 24 04:00:02 2010: DEBUG: include
> /opt/radiator/etc/radiator_authby.cfg
> Sat Apr 24 04:00:02 2010: DEBUG: include
> /opt/radiator/etc/radiator_authlog.cfg
> Sat Apr 24 04:00:02 2010: DEBUG: include
> /opt/radiator/etc/radiator_handler.cfg
> Sat Apr 24 04:00:02 2010: DEBUG: Finished reading configuration file
> '/opt/radiator/etc/radiator_WLAN.cfg'
> Sat Apr 24 04:00:02 2010: DEBUG: Reading dictionary file
> '/opt/radiator/etc/dictionary'
> Sat Apr 24 04:00:02 2010: DEBUG: Creating authentication port
> 0.0.0.0:11812
> Sat Apr 24 04:00:02 2010: DEBUG: Creating accounting port 0.0.0.0:11813
> Sat Apr 24 04:00:02 2010: NOTICE: Server started: Radiator 4.5 on radprod1
>
> .....
>
> Fri Apr 23 11:35:58 2010: DEBUG: Packet dump:
> *** Received from 10.7.96.21 port 32768 ....
> Code: Access-Request
> Identifier: 195
> Authentic: <207><142><194><3>W<254>'-<23><147>p<151><145><155><254><2>
> Attributes:
> User-Name = "host/host1.domain.com"
> Calling-Station-Id = "00-1c-bf-a2-d5-f5"
> Called-Station-Id = "00-19-07-8c-92-90:D77yZsCpy6Cyh95Q8!"
> NAS-Port = 29
> NAS-IP-Address = 10.7.96.21
> NAS-Identifier = "HCESB991"
> Airespace-WLAN-Id = 1
> Service-Type = Framed-User
> Framed-MTU = 1300
> NAS-Port-Type = Wireless-IEEE-802-11
> Tunnel-Type = 0:VLAN
> Tunnel-Medium-Type = 0:802
> Tunnel-Private-Group-ID = 662
> EAP-Message =
> <2><9><4><187><13><0>?<208><0>2`~<237><239><187><8><196><225>9<167>[Tz<12>.<
> 153><170><24><184><239><174>$<147><236>*<215><177><218>&<18><136><233>yT<194
>> <18><182><27><172>u<187>?<200>B<16>x<243>;W<193><255><170><8><134><29><9><2
> 29>eh,<225><198><170><223><222><163><226>F<7><138>$<161><160><221><24><225><
> 210>i<143><216><26><149><162>N<132><183><201>n<181>f2f<187><165>D<252><208><
> 6>b|<151>*<250><20><171><234><200><149>;<165><30>fo<168><169><154><185><132>
> <196><212><135>M<236>S<161><193><24><239>{)t<2><145>=<218>;<234><142><17>r0<
> 245>[!<131><185><216><219><4>]<189><23><219>$<149><168><231><12><170><143><1
> 47>N<169>d<188><169>b<14><243>Y<127><246>g<14><226>/-<191><138>}v<202><152><
> 210>3<156><161>(m<0>]<28>Yh<201><239>u<254><168>
> I<18><161><245><158><143><193><2><3><1><0><1><163><130><1>~0<130><1>z0<29><6
>> <3>U<29><14><4><22><4><20><163><161><216><192><155><251>Tb<226><148>0<232>
> EAP-Message =
> <226>|N<204><130><192><225><147>0<31><6><3>U<29>#<4><24>0<22><128><20><206><
> 148><206><139>J<145>?<173><19>g<214><174>E<145>}7i<227><226><179>0<18><6><3>
> U<29><19><1><1><255><4><8>0<6><1><1><255><2><1><0>0<14><6><3>U<29><15><1><1>
> <255><4><4><3><2><1><6>0j<6><3>U<29>
> <4>c0a0_<6><11>+<6><1><4><1><143>H<10><1><11><2>0P0N<6><8>+<6><1><5><5><7><2
>> <2>0B<26>@This certificate is for testing only - do not use in
> production!0<129><167><6><3>U<29><31><4><129><159>0<129><156>0<129><153><160
>> <129><150><160><129><147><134><129><144>ldap://ldapd1.domain.com:389/CN=
> EAP-Message =
> Root%20TEST%20CA%202?certificateRevocationList?base0<13><6><9>*<134>H
> <134><247><13><1><1><5><5><0><3>
> <130><1><1><0>}<166><195>-<168><146>J<253><155><202><29><176><29>U<224><203>
> <151><219><248>o<191>o<198>4<4>l<196>V<158>/<216><201><226><13>\;^<1>#h<0><2
> 6><28><249><197><234><163><176><230><207><132>M<245><193><168>Y<200><231>-w<
> 160><127><7><166><139><141>k<151>i<231><1<153><248>R<3><23><240><29><209><17
>> <135><172><143><216><11><238>%<237>jUT<208><239><228><186><168><235><162><2
> 18><184><23><141><131>9<157>Pd<176>}=<26><225>u@<142>
> <209><8>l<229><248>t><207>.<173><250><19>=c
> EAP-Message =
> <250><132><139>@<181><150><173><174>v<191><192><204><215><181><139><183><240
>> ]W.<2>a<243>%f<16><152><28>S<179><25><210>QL<250><2><213>T<151>=<21><221>e<
> 141>]<205>d<20>k<196><220>X<155><239><153><13><2><225><169><253><170><193>V<
> 155><5><19>o<164><170><222><28><244><132><246><<9><195><173><167>+<27><172><
> 195>|<128><235><154><195>3q<171>K<249>a<203><132>(<199><146>mJ<194><1><234><
> 9>R<155>;Is<255><156><130>X<169><20><243>.<135>cze<196><17><148><16><0><0><1
> 30><0><128><150><251>j}<144><131><<23>?<170>un<152><15>:x<135><243><214><136
>> <235><150>J:h<204>u(<189>sR<241><10><157><131><176><144><145><169>po<21><25
> 5><181>b<160>Y<236><135><243><228>^<149><127><6>$~<156><127>{<206>/<186><31>
> H<191><31><201>8<167>><23><176><8><243><13><25><31><169><19><15><175><6>Qy5<
> 22>P<165><173>r<220><184>h<195>Z7<140><248>31C<142><138>%EG<169>4-!?><201>,<
> 196>g{+\|<211>
> EAP-Message =
> Ak<227><241><183>\<15><0><0><130><0><128><134><137>h<184><19>w<7>b7ai+<26><2
> 26><202>O<155>s_N<8><202><208><232><243><6><160><153><251>T<9>:<3><151><224>
> <19><213><30><200>Nsjd<222>/j<208>%<10><215><213><211><240><150>2 at L}<15>H{(s
> <164><180><225><25><28>8<215><184><183>M<233><243>l<20>b<8><23><173><6><251>
> <176><6><156><246>m<6><244><7><246><29><217><216>l*0<152>R<184><30><17>H<133
>> d<217><233><237><199>"<217><4><139>i<22><2><27><166>bH-<136><181>DI<135>8<2
> 0><3><1><0><1><1><22><3><1><0>0L,H<136><133><149>5K<171><157>A<208><a<247><2
> 26><157>Dac[<197>=<177><193><8>&<231><216><175><200><23>v<241>z<250><29>_<21
>> h<30>z<17><22><169><188><170><148>
> Message-Authenticator =
> <168>)F<184>T<230>;9<242><210><14>X<17><232><163><145>
>
> Fri Apr 23 11:35:58 2010: DEBUG: Handling request with Handler
> 'User-Name=/host\/.+/, DeviceType="Wlan",DeviceGroup="global"'
> Fri Apr 23 11:35:58 2010: DEBUG: Rewrote user name to
> host1.domain.com at unknown
> Fri Apr 23 11:35:58 2010: DEBUG: Deleting session for
> host/host1.domain.com, 10.37.196.121, 29
> Fri Apr 23 11:35:58 2010: DEBUG: Handling with
> Radius::AuthFILE:EapTLSDevice
> Fri Apr 23 11:35:58 2010: DEBUG: Handling with EAP: code 2, 9, 1211, 13
> Fri Apr 23 11:35:58 2010: DEBUG: Response type 13
> Fri Apr 23 11:35:58 2010: DEBUG: Certificate Subject Name
> is/DC=com/DC=DOMAIN/O=TEST/CN=host1.domain.com
> Fri Apr 23 11:35:58 2010: DEBUG: Matched certificate CN host1.domain.com
> with User-Name host1.domain.com at unknown or identity host/host1.domain.com
> Fri Apr 23 11:35:58 2010: DEBUG: Radius::AuthFILE looks for match with
> host1.domain.com [host/host1.domain.com]
> Fri Apr 23 11:35:58 2010: DEBUG: Radius::AuthFILE REJECT: No such user:
> host1.domain.com [host/host1.domain.com]
> Fri Apr 23 11:35:58 2010: DEBUG: Radius::AuthFILE looks for match with
> DEFAULT [host/host1.domain.com]
> Fri Apr 23 11:35:58 2010: DEBUG: Radius::AuthFILE ACCEPT: : DEFAULT
> [host/host1.domain.com]
> Fri Apr 23 11:35:58 2010: DEBUG: EAPTLS_CertificateVerifyHook matchDN:
> host1.domain.com
> Fri Apr 23 11:35:58 2010: DEBUG: EAPTLS_CertificateVerifyHook issuer:
> /CN=Server TEST CA 2
> Fri Apr 23 11:35:58 2010: DEBUG: EAPTLS_CertificateVerifyHook
> EKU:clientAuth
> Fri Apr 23 11:35:58 2010: ERR: EAP TLS error: -1, 1, 8640, 0, 14579:
> 1 -error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad
> record mac
> Fri Apr 23 11:35:58 2010: DEBUG: EAP result: 1, EAP TLS error
> Fri Apr 23 11:35:58 2010: DEBUG: AuthBy FILE result: REJECT, EAP TLS error
> Fri Apr 23 11:35:58 2010: INFO: Access rejected for
> host1.domain.com at unknown: EAP TLS error
> Fri Apr 23 11:35:58 2010: DEBUG: Packet dump:
> *** Sending to 10.7.96.21 port 32768 ....
> Code: Access-Reject
> Identifier: 195
> Authentic:
> <230><254>)<134>o<193><183><12><144><8><157><131><172><4><213><209>
> Attributes:
> EAP-Message = <4><9><0><4>
> Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> Reply-Message = "Request Denied"
>
>
>
> Regards
> Markus
>
>
>
> ----- Original Message ----- From: "Hugh Irvine" <hugh at open.com.au>
> To: "Markus Moeller" <huaraz at moeller.plus.com>
> Cc: <radiator at open.com.au>
> Sent: Saturday, April 24, 2010 12:27 AM
> Subject: Re: [RADIATOR] EAP TLS and XP machine authentication
>
>
>
> Hello Markus -
>
> Can you please send me a copy of the configuration file and a more
> complete trace 4 debug showing more of what is happening?
>
> thanks and regards
>
> Hugh
>
>
> On 23 Apr 2010, at 19:33, Markus Moeller wrote:
>
>> Hi,
>>
>> I try to use 802.1x with XP and machine authentication. I can see the
>> radius request with username host/<fqdn> and then I see the radius server
>> failing because the CN nor the subjectaltname(= <fqdn> only) match the
>> username.
>>
>> Fri Apr 23 09:59:40 2010: DEBUG: Response type 13
>> Fri Apr 23 09:59:40 2010: DEBUG: Certificate Subject Name is
>> /DC=com/DC=DOMAIN/O=TEST/CN=host1.domain.com
>> Fri Apr 23 09:59:40 2010: DEBUG: Checking subjectAltName type 2, value
>> host1.domain.com
>> Fri Apr 23 09:59:40 2010: INFO: EAP TLS client certificate subject
>> /DC=com/DC=DOMAIN/O=TEST/CN=host1.domain.com does not match
>> user name host/host1.domain.com at unknown or identity host/host1.domain.com
>> Fri Apr 23 09:59:40 2010: INFO: EAP TLS certificate verification failed:
>> application verification failure, 14579: 1 - error:140890B2:SSL
>> routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
>>
>>
>> What is the right way to configure Radiator or how should the certificate
>> be created ?
>>
>> Thank you
>> Markus
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
>
>
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive
> (www.open.com.au/archives/radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> Includes support for reliable RADIUS transport (RadSec),
> and DIAMETER translation agent.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
>
>
>
>
>
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive
(www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
More information about the radiator
mailing list