[RADIATOR] EAP TLS and XP machine authentication

Hugh Irvine hugh at open.com.au
Wed Apr 28 19:01:13 CDT 2010


Hello Markus -

Yes you should be able to use a RewriteUsername to strip the leading "host/", however you appear to end up with this:

	Fri Apr 23 11:35:58 2010: DEBUG: Rewrote user name to host1.domain.com at unknown

which I don't understand. Where is the "@unknown" suffix coming from?

regards

Hugh


On 28 Apr 2010, at 09:12, Markus Moeller wrote:

> Hi Hugh,
> 
> I am testing to authenticate devices (e.g. phones or PCs) via 802.1x to a switch. A XP or Windows 7 PC can do 802.1x authentication as a machine or a user. I would like to do a machine authentication using a certificate and it looks like XP and Windows 7 is using a "username" of host/<fqdn>, but the certificate I created is a normal server certificate with the fqdn as subjectaltname.
> 
> So it looks to me that I have to use a rewrite rule to match the "username" with the subjectaltname or CN. I am wondering if someone else has done this before.
> 
> Thank you
> Markus
> 
> BTW The error "decryption failed or bad record mac" is a bug in SunStudio 11 when compiling openssl.  The AES cipher used by Windows 7 could not be decrypted by SSLeay because of the SunStudio 11 bug.
> 
> ----- Original Message ----- From: "Hugh Irvine" <hugh at open.com.au>
> To: "Markus Moeller" <huaraz at moeller.plus.com>
> Cc: <radiator at open.com.au>
> Sent: Tuesday, April 27, 2010 7:43 AM
> Subject: Re: [RADIATOR] EAP TLS and XP machine authentication
> 
> 
> 
> Hello Markus -
> 
> Sorry to be dense, but what exactly are you wanting to do? and what exactly are you expecting to happen?
> 
> I'm not understanding your requirements, nor the results you show below.
> 
> You can send to me directly if you prefer.
> 
> regards
> 
> Hugh
> 
> 
> On 24 Apr 2010, at 21:26, Markus Moeller wrote:
> 
>> Hi Hugh,
>> 
>> here is the Authby definition
>> 
>> #
>> <AuthBy FILE>
>> Identifier EapTLSDevice
>> Filename %D/Devices
>> 
>> EAPType TLS
>> 
>> #
>> # WLAN Additional Certificate Check
>> #
>> EAPTLS_CertificateVerifyHook file:"%D/EAPTLS_Certificate_check_Device.pl"
>> 
>> #
>> # WLAN root CAs
>> #
>> EAPTLS_CAFile %D/certs/CA/ALL-ca-certs.pem
>> 
>> #
>> # Radiator Cert
>> #
>> EAPTLS_CertificateFile %D/certs/wlancert.pem
>> EAPTLS_CertificateType PEM
>> 
>> EAPTLS_PrivateKeyFile %D/certs/wlankey.pem
>> #  EAPTLS_PrivateKeyPassword 1Wv7HpRG5C
>> 
>> EAPTLS_MaxFragmentSize 1000
>> 
>> #
>> # WLAN CRLs
>> #
>> EAPTLS_CRLCheck
>> EAPTLS_CRLFile %D/certs/crls/Root_CA_2.pem
>> EAPTLS_CRLFile %D/certs/crls/Root_CA_3.pem
>> EAPTLS_CRLFile %D/certs/crls/Server_CA_2.pem
>> EAPTLS_CRLFile %D/certs/crls/TLS_CA_1.pem
>> 
>> # EAPTLS_CRLFile %D/certs/revocations.pem
>> #
>> AutoMPPEKeys
>> </AuthBy>
>> 
>> the handler
>> 
>> #
>> <Handler User-Name=/host\/.+/, DeviceType="Wlan",DeviceGroup="global" >
>>      # Mark request as WLAN request
>>      RewriteUsername s/host\/(.*)/$1/
>>      AddToRequestIfNotExist Request-Protocol=EAP-TLS
>>      AuthByPolicy ContinueWhileAccept
>>      AuthBy EapTLSDevice
>>      AuthLog LogWLANAuthentication
>>      AuthLog SysLogWLANAuthentication
>>      AcctLogFileName %L/radiator_WLANacct
>> </Handler>
>> #
>> 
>> 
>> 
>> and the log output of the request
>> 
>> 
>> Sat Apr 24 04:00:02 2010: NOTICE: SIGHUP received: restarting
>> Sat Apr 24 04:00:02 2010: DEBUG: include /opt/radiator/etc/radiator_log.cfg
>> Sat Apr 24 04:00:02 2010: DEBUG: include /opt/radiator/etc/clients/radiator_WLAN.cfg
>> Sat Apr 24 04:00:02 2010: DEBUG: include /opt/radiator/etc/radiator_authby.cfg
>> Sat Apr 24 04:00:02 2010: DEBUG: include /opt/radiator/etc/radiator_authlog.cfg
>> Sat Apr 24 04:00:02 2010: DEBUG: include /opt/radiator/etc/radiator_handler.cfg
>> Sat Apr 24 04:00:02 2010: DEBUG: Finished reading configuration file '/opt/radiator/etc/radiator_WLAN.cfg'
>> Sat Apr 24 04:00:02 2010: DEBUG: Reading dictionary file '/opt/radiator/etc/dictionary'
>> Sat Apr 24 04:00:02 2010: DEBUG: Creating authentication port 0.0.0.0:11812
>> Sat Apr 24 04:00:02 2010: DEBUG: Creating accounting port 0.0.0.0:11813
>> Sat Apr 24 04:00:02 2010: NOTICE: Server started: Radiator 4.5 on radprod1
>> 
>> .....
>> 
>> Fri Apr 23 11:35:58 2010: DEBUG: Packet dump:
>> *** Received from 10.7.96.21 port 32768 ....
>> Code:       Access-Request
>> Identifier: 195
>> Authentic:  <207><142><194><3>W<254>'-<23><147>p<151><145><155><254><2>
>> Attributes:
>>      User-Name = "host/host1.domain.com"
>>      Calling-Station-Id = "00-1c-bf-a2-d5-f5"
>>      Called-Station-Id = "00-19-07-8c-92-90:D77yZsCpy6Cyh95Q8!"
>>      NAS-Port = 29
>>      NAS-IP-Address = 10.7.96.21
>>      NAS-Identifier = "HCESB991"
>>      Airespace-WLAN-Id = 1
>>      Service-Type = Framed-User
>>      Framed-MTU = 1300
>>      NAS-Port-Type = Wireless-IEEE-802-11
>>      Tunnel-Type = 0:VLAN
>>      Tunnel-Medium-Type = 0:802
>>      Tunnel-Private-Group-ID = 662
>>      EAP-Message =
>> <2><9><4><187><13><0>?<208><0>2`~<237><239><187><8><196><225>9<167>[Tz<12>.<
>> 153><170><24><184><239><174>$<147><236>*<215><177><218>&<18><136><233>yT<194
>>> <18><182><27><172>u<187>?<200>B<16>x<243>;W<193><255><170><8><134><29><9><2
>> 29>eh,<225><198><170><223><222><163><226>F<7><138>$<161><160><221><24><225><
>> 210>i<143><216><26><149><162>N<132><183><201>n<181>f2f<187><165>D<252><208><
>> 6>b|<151>*<250><20><171><234><200><149>;<165><30>fo<168><169><154><185><132>
>> <196><212><135>M<236>S<161><193><24><239>{)t<2><145>=<218>;<234><142><17>r0<
>> 245>[!<131><185><216><219><4>]<189><23><219>$<149><168><231><12><170><143><1
>> 47>N<169>d<188><169>b<14><243>Y<127><246>g<14><226>/-<191><138>}v<202><152><
>> 210>3<156><161>(m<0>]<28>Yh<201><239>u<254><168>
>> I<18><161><245><158><143><193><2><3><1><0><1><163><130><1>~0<130><1>z0<29><6
>>> <3>U<29><14><4><22><4><20><163><161><216><192><155><251>Tb<226><148>0<232>
>>      EAP-Message =
>> <226>|N<204><130><192><225><147>0<31><6><3>U<29>#<4><24>0<22><128><20><206><
>> 148><206><139>J<145>?<173><19>g<214><174>E<145>}7i<227><226><179>0<18><6><3>
>> U<29><19><1><1><255><4><8>0<6><1><1><255><2><1><0>0<14><6><3>U<29><15><1><1>
>> <255><4><4><3><2><1><6>0j<6><3>U<29>
>> <4>c0a0_<6><11>+<6><1><4><1><143>H<10><1><11><2>0P0N<6><8>+<6><1><5><5><7><2
>>> <2>0B<26>@This certificate is for testing only - do not use in
>> production!0<129><167><6><3>U<29><31><4><129><159>0<129><156>0<129><153><160
>>> <129><150><160><129><147><134><129><144>ldap://ldapd1.domain.com:389/CN=
>>      EAP-Message =
>> Root%20TEST%20CA%202?certificateRevocationList?base0<13><6><9>*<134>H
>> <134><247><13><1><1><5><5><0><3>
>> <130><1><1><0>}<166><195>-<168><146>J<253><155><202><29><176><29>U<224><203>
>> <151><219><248>o<191>o<198>4<4>l<196>V<158>/<216><201><226><13>\;^<1>#h<0><2
>> 6><28><249><197><234><163><176><230><207><132>M<245><193><168>Y<200><231>-w<
>> 160><127><7><166><139><141>k<151>i<231><1<153><248>R<3><23><240><29><209><17
>>> <135><172><143><216><11><238>%<237>jUT<208><239><228><186><168><235><162><2
>> 18><184><23><141><131>9<157>Pd<176>}=<26><225>u@<142>
>> <209><8>l<229><248>t><207>.<173><250><19>=c
>>      EAP-Message =
>> <250><132><139>@<181><150><173><174>v<191><192><204><215><181><139><183><240
>>> ]W.<2>a<243>%f<16><152><28>S<179><25><210>QL<250><2><213>T<151>=<21><221>e<
>> 141>]<205>d<20>k<196><220>X<155><239><153><13><2><225><169><253><170><193>V<
>> 155><5><19>o<164><170><222><28><244><132><246><<9><195><173><167>+<27><172><
>> 195>|<128><235><154><195>3q<171>K<249>a<203><132>(<199><146>mJ<194><1><234><
>> 9>R<155>;Is<255><156><130>X<169><20><243>.<135>cze<196><17><148><16><0><0><1
>> 30><0><128><150><251>j}<144><131><<23>?<170>un<152><15>:x<135><243><214><136
>>> <235><150>J:h<204>u(<189>sR<241><10><157><131><176><144><145><169>po<21><25
>> 5><181>b<160>Y<236><135><243><228>^<149><127><6>$~<156><127>{<206>/<186><31>
>> H<191><31><201>8<167>><23><176><8><243><13><25><31><169><19><15><175><6>Qy5<
>> 22>P<165><173>r<220><184>h<195>Z7<140><248>31C<142><138>%EG<169>4-!?><201>,<
>> 196>g{+\|<211>
>>      EAP-Message =
>> Ak<227><241><183>\<15><0><0><130><0><128><134><137>h<184><19>w<7>b7ai+<26><2
>> 26><202>O<155>s_N<8><202><208><232><243><6><160><153><251>T<9>:<3><151><224>
>> <19><213><30><200>Nsjd<222>/j<208>%<10><215><213><211><240><150>2 at L}<15>H{(s
>> <164><180><225><25><28>8<215><184><183>M<233><243>l<20>b<8><23><173><6><251>
>> <176><6><156><246>m<6><244><7><246><29><217><216>l*0<152>R<184><30><17>H<133
>>> d<217><233><237><199>"<217><4><139>i<22><2><27><166>bH-<136><181>DI<135>8<2
>> 0><3><1><0><1><1><22><3><1><0>0L,H<136><133><149>5K<171><157>A<208><a<247><2
>> 26><157>Dac[<197>=<177><193><8>&<231><216><175><200><23>v<241>z<250><29>_<21
>>> h<30>z<17><22><169><188><170><148>
>>      Message-Authenticator = <168>)F<184>T<230>;9<242><210><14>X<17><232><163><145>
>> 
>> Fri Apr 23 11:35:58 2010: DEBUG: Handling request with Handler 'User-Name=/host\/.+/, DeviceType="Wlan",DeviceGroup="global"'
>> Fri Apr 23 11:35:58 2010: DEBUG: Rewrote user name to host1.domain.com at unknown
>> Fri Apr 23 11:35:58 2010: DEBUG:  Deleting session for host/host1.domain.com, 10.37.196.121, 29
>> Fri Apr 23 11:35:58 2010: DEBUG: Handling with Radius::AuthFILE:EapTLSDevice
>> Fri Apr 23 11:35:58 2010: DEBUG: Handling with EAP: code 2, 9, 1211, 13
>> Fri Apr 23 11:35:58 2010: DEBUG: Response type 13
>> Fri Apr 23 11:35:58 2010: DEBUG: Certificate Subject Name is/DC=com/DC=DOMAIN/O=TEST/CN=host1.domain.com
>> Fri Apr 23 11:35:58 2010: DEBUG: Matched certificate CN host1.domain.com with User-Name host1.domain.com at unknown or identity host/host1.domain.com
>> Fri Apr 23 11:35:58 2010: DEBUG: Radius::AuthFILE looks for match with host1.domain.com [host/host1.domain.com]
>> Fri Apr 23 11:35:58 2010: DEBUG: Radius::AuthFILE REJECT: No such user: host1.domain.com [host/host1.domain.com]
>> Fri Apr 23 11:35:58 2010: DEBUG: Radius::AuthFILE looks for match with DEFAULT [host/host1.domain.com]
>> Fri Apr 23 11:35:58 2010: DEBUG: Radius::AuthFILE ACCEPT: : DEFAULT [host/host1.domain.com]
>> Fri Apr 23 11:35:58 2010: DEBUG: EAPTLS_CertificateVerifyHook matchDN: host1.domain.com
>> Fri Apr 23 11:35:58 2010: DEBUG: EAPTLS_CertificateVerifyHook issuer: /CN=Server TEST CA 2
>> Fri Apr 23 11:35:58 2010: DEBUG: EAPTLS_CertificateVerifyHook EKU:clientAuth
>> Fri Apr 23 11:35:58 2010: ERR: EAP TLS error: -1, 1, 8640, 0,  14579: 1 -error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac
>> Fri Apr 23 11:35:58 2010: DEBUG: EAP result: 1, EAP TLS error
>> Fri Apr 23 11:35:58 2010: DEBUG: AuthBy FILE result: REJECT, EAP TLS error
>> Fri Apr 23 11:35:58 2010: INFO: Access rejected for host1.domain.com at unknown: EAP TLS error
>> Fri Apr 23 11:35:58 2010: DEBUG: Packet dump:
>> *** Sending to 10.7.96.21 port 32768 ....
>> Code:       Access-Reject
>> Identifier: 195
>> Authentic: <230><254>)<134>o<193><183><12><144><8><157><131><172><4><213><209>
>> Attributes:
>>      EAP-Message = <4><9><0><4>
>>      Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>      Reply-Message = "Request Denied"
>> 
>> 
>> 
>> Regards
>> Markus
>> 
>> 
>> 
>> ----- Original Message ----- From: "Hugh Irvine" <hugh at open.com.au>
>> To: "Markus Moeller" <huaraz at moeller.plus.com>
>> Cc: <radiator at open.com.au>
>> Sent: Saturday, April 24, 2010 12:27 AM
>> Subject: Re: [RADIATOR] EAP TLS and XP machine authentication
>> 
>> 
>> 
>> Hello Markus -
>> 
>> Can you please send me a copy of the configuration file and a more complete trace 4 debug showing more of what is happening?
>> 
>> thanks and regards
>> 
>> Hugh
>> 
>> 
>> On 23 Apr 2010, at 19:33, Markus Moeller wrote:
>> 
>>> Hi,
>>> 
>>>  I try to use 802.1x with XP and machine authentication.  I can see the radius request with username host/<fqdn> and then I see the radius server failing because the CN nor the subjectaltname(= <fqdn> only)  match the username.
>>> 
>>> Fri Apr 23 09:59:40 2010: DEBUG: Response type 13
>>> Fri Apr 23 09:59:40 2010: DEBUG: Certificate Subject Name is /DC=com/DC=DOMAIN/O=TEST/CN=host1.domain.com
>>> Fri Apr 23 09:59:40 2010: DEBUG: Checking subjectAltName type 2, value host1.domain.com
>>> Fri Apr 23 09:59:40 2010: INFO: EAP TLS client certificate subject /DC=com/DC=DOMAIN/O=TEST/CN=host1.domain.com does not match
>>> user name host/host1.domain.com at unknown or identity host/host1.domain.com
>>> Fri Apr 23 09:59:40 2010: INFO: EAP TLS certificate verification failed: application verification failure,  14579: 1 - error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
>>> 
>>> 
>>> What is the right way to configure Radiator or how should the certificate be created ?
>>> 
>>> Thank you
>>> Markus
>>> _______________________________________________
>>> radiator mailing list
>>> radiator at open.com.au
>>> http://www.open.com.au/mailman/listinfo/radiator
>> 
>> 
>> 
>> NB:
>> 
>> Have you read the reference manual ("doc/ref.html")?
>> Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
>> Have you had a quick look on Google (www.google.com)?
>> Have you included a copy of your configuration file (no secrets),
>> together with a trace 4 debug showing what is happening?
>> 
>> -- 
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>> Includes support for reliable RADIUS transport (RadSec),
>> and DIAMETER translation agent.
>> -
>> Nets: internetwork inventory and management - graphical, extensible,
>> flexible with hardware, software, platform and database independence.
>> -
>> CATool: Private Certificate Authority for Unix and Unix-like systems.
>> 
>> 
>> 
>> 
>> 
>> 
> 
> 
> 
> NB:
> 
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
> 
> -- 
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> Includes support for reliable RADIUS transport (RadSec),
> and DIAMETER translation agent.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
> 
> 
> 
> 
> 
> 



NB: 

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets), 
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.





More information about the radiator mailing list