[RADIATOR] EAP TLS and XP machine authentication

Hugh Irvine hugh at open.com.au
Thu Apr 29 17:05:16 CDT 2010


Hello Markus -

You will need to strip the "@unknown" suffix before trying to match the username.

regards

Hugh


On 30 Apr 2010, at 04:26, Markus Moeller wrote:

> Sorry, the @unkown is a setting in an include file I did not provide to you.
> 
> Markus
> 
> ----- Original Message ----- From: "Hugh Irvine" <hugh at open.com.au>
> To: "Markus Moeller" <huaraz at moeller.plus.com>
> Cc: <radiator at open.com.au>
> Sent: Thursday, April 29, 2010 1:01 AM
> Subject: Re: [RADIATOR] EAP TLS and XP machine authentication
> 
> 
> 
> Hello Markus -
> 
> Yes you should be able to use a RewriteUsername to strip the leading "host/", however you appear to end up with this:
> 
> Fri Apr 23 11:35:58 2010: DEBUG: Rewrote user name to host1.domain.com at unknown
> 
> which I don't understand. Where is the "@unknown" suffix coming from?
> 
> regards
> 
> Hugh
> 
> 
> On 28 Apr 2010, at 09:12, Markus Moeller wrote:
> 
>> Hi Hugh,
>> 
>> I am testing to authenticate devices (e.g. phones or PCs) via 802.1x to a switch. A XP or Windows 7 PC can do 802.1x authentication as a machine or a user. I would like to do a machine authentication using a certificate and it looks like XP and Windows 7 is using a "username" of host/<fqdn>, but the certificate I created is a normal server certificate with the fqdn as subjectaltname.
>> 
>> So it looks to me that I have to use a rewrite rule to match the "username" with the subjectaltname or CN. I am wondering if someone else has done this before.
>> 
>> Thank you
>> Markus
>> 
>> BTW The error "decryption failed or bad record mac" is a bug in SunStudio 11 when compiling openssl.  The AES cipher used by Windows 7 could not be decrypted by SSLeay because of the SunStudio 11 bug.
>> 
>> ----- Original Message ----- From: "Hugh Irvine" <hugh at open.com.au>
>> To: "Markus Moeller" <huaraz at moeller.plus.com>
>> Cc: <radiator at open.com.au>
>> Sent: Tuesday, April 27, 2010 7:43 AM
>> Subject: Re: [RADIATOR] EAP TLS and XP machine authentication
>> 
>> 
>> 
>> Hello Markus -
>> 
>> Sorry to be dense, but what exactly are you wanting to do? and what exactly are you expecting to happen?
>> 
>> I'm not understanding your requirements, nor the results you show below.
>> 
>> You can send to me directly if you prefer.
>> 
>> regards
>> 
>> Hugh
>> 
>> 
>> On 24 Apr 2010, at 21:26, Markus Moeller wrote:
>> 
>>> Hi Hugh,
>>> 
>>> here is the Authby definition
>>> 
>>> #
>>> <AuthBy FILE>
>>> Identifier EapTLSDevice
>>> Filename %D/Devices
>>> 
>>> EAPType TLS
>>> 
>>> #
>>> # WLAN Additional Certificate Check
>>> #
>>> EAPTLS_CertificateVerifyHook file:"%D/EAPTLS_Certificate_check_Device.pl"
>>> 
>>> #
>>> # WLAN root CAs
>>> #
>>> EAPTLS_CAFile %D/certs/CA/ALL-ca-certs.pem
>>> 
>>> #
>>> # Radiator Cert
>>> #
>>> EAPTLS_CertificateFile %D/certs/wlancert.pem
>>> EAPTLS_CertificateType PEM
>>> 
>>> EAPTLS_PrivateKeyFile %D/certs/wlankey.pem
>>> #  EAPTLS_PrivateKeyPassword 1Wv7HpRG5C
>>> 
>>> EAPTLS_MaxFragmentSize 1000
>>> 
>>> #
>>> # WLAN CRLs
>>> #
>>> EAPTLS_CRLCheck
>>> EAPTLS_CRLFile %D/certs/crls/Root_CA_2.pem
>>> EAPTLS_CRLFile %D/certs/crls/Root_CA_3.pem
>>> EAPTLS_CRLFile %D/certs/crls/Server_CA_2.pem
>>> EAPTLS_CRLFile %D/certs/crls/TLS_CA_1.pem
>>> 
>>> # EAPTLS_CRLFile %D/certs/revocations.pem
>>> #
>>> AutoMPPEKeys
>>> </AuthBy>
>>> 
>>> the handler
>>> 
>>> #
>>> <Handler User-Name=/host\/.+/, DeviceType="Wlan",DeviceGroup="global" >
>>>     # Mark request as WLAN request
>>>     RewriteUsername s/host\/(.*)/$1/
>>>     AddToRequestIfNotExist Request-Protocol=EAP-TLS
>>>     AuthByPolicy ContinueWhileAccept
>>>     AuthBy EapTLSDevice
>>>     AuthLog LogWLANAuthentication
>>>     AuthLog SysLogWLANAuthentication
>>>     AcctLogFileName %L/radiator_WLANacct
>>> </Handler>
>>> #
>>> 
>>> 
>>> 
>>> and the log output of the request
>>> 
>>> 
>>> Sat Apr 24 04:00:02 2010: NOTICE: SIGHUP received: restarting
>>> Sat Apr 24 04:00:02 2010: DEBUG: include /opt/radiator/etc/radiator_log.cfg
>>> Sat Apr 24 04:00:02 2010: DEBUG: include /opt/radiator/etc/clients/radiator_WLAN.cfg
>>> Sat Apr 24 04:00:02 2010: DEBUG: include /opt/radiator/etc/radiator_authby.cfg
>>> Sat Apr 24 04:00:02 2010: DEBUG: include /opt/radiator/etc/radiator_authlog.cfg
>>> Sat Apr 24 04:00:02 2010: DEBUG: include /opt/radiator/etc/radiator_handler.cfg
>>> Sat Apr 24 04:00:02 2010: DEBUG: Finished reading configuration file '/opt/radiator/etc/radiator_WLAN.cfg'
>>> Sat Apr 24 04:00:02 2010: DEBUG: Reading dictionary file '/opt/radiator/etc/dictionary'
>>> Sat Apr 24 04:00:02 2010: DEBUG: Creating authentication port 0.0.0.0:11812
>>> Sat Apr 24 04:00:02 2010: DEBUG: Creating accounting port 0.0.0.0:11813
>>> Sat Apr 24 04:00:02 2010: NOTICE: Server started: Radiator 4.5 on radprod1
>>> 
>>> .....
>>> 
>>> Fri Apr 23 11:35:58 2010: DEBUG: Packet dump:
>>> *** Received from 10.7.96.21 port 32768 ....
>>> Code:       Access-Request
>>> Identifier: 195
>>> Authentic:  <207><142><194><3>W<254>'-<23><147>p<151><145><155><254><2>
>>> Attributes:
>>>     User-Name = "host/host1.domain.com"
>>>     Calling-Station-Id = "00-1c-bf-a2-d5-f5"
>>>     Called-Station-Id = "00-19-07-8c-92-90:D77yZsCpy6Cyh95Q8!"
>>>     NAS-Port = 29
>>>     NAS-IP-Address = 10.7.96.21
>>>     NAS-Identifier = "HCESB991"
>>>     Airespace-WLAN-Id = 1
>>>     Service-Type = Framed-User
>>>     Framed-MTU = 1300
>>>     NAS-Port-Type = Wireless-IEEE-802-11
>>>     Tunnel-Type = 0:VLAN
>>>     Tunnel-Medium-Type = 0:802
>>>     Tunnel-Private-Group-ID = 662
>>>     EAP-Message =
>>> <2><9><4><187><13><0>?<208><0>2`~<237><239><187><8><196><225>9<167>[Tz<12>.<
>>> 153><170><24><184><239><174>$<147><236>*<215><177><218>&<18><136><233>yT<194
>>>> <18><182><27><172>u<187>?<200>B<16>x<243>;W<193><255><170><8><134><29><9><2
>>> 29>eh,<225><198><170><223><222><163><226>F<7><138>$<161><160><221><24><225><
>>> 210>i<143><216><26><149><162>N<132><183><201>n<181>f2f<187><165>D<252><208><
>>> 6>b|<151>*<250><20><171><234><200><149>;<165><30>fo<168><169><154><185><132>
>>> <196><212><135>M<236>S<161><193><24><239>{)t<2><145>=<218>;<234><142><17>r0<
>>> 245>[!<131><185><216><219><4>]<189><23><219>$<149><168><231><12><170><143><1
>>> 47>N<169>d<188><169>b<14><243>Y<127><246>g<14><226>/-<191><138>}v<202><152><
>>> 210>3<156><161>(m<0>]<28>Yh<201><239>u<254><168>
>>> I<18><161><245><158><143><193><2><3><1><0><1><163><130><1>~0<130><1>z0<29><6
>>>> <3>U<29><14><4><22><4><20><163><161><216><192><155><251>Tb<226><148>0<232>
>>>     EAP-Message =
>>> <226>|N<204><130><192><225><147>0<31><6><3>U<29>#<4><24>0<22><128><20><206><
>>> 148><206><139>J<145>?<173><19>g<214><174>E<145>}7i<227><226><179>0<18><6><3>
>>> U<29><19><1><1><255><4><8>0<6><1><1><255><2><1><0>0<14><6><3>U<29><15><1><1>
>>> <255><4><4><3><2><1><6>0j<6><3>U<29>
>>> <4>c0a0_<6><11>+<6><1><4><1><143>H<10><1><11><2>0P0N<6><8>+<6><1><5><5><7><2
>>>> <2>0B<26>@This certificate is for testing only - do not use in
>>> production!0<129><167><6><3>U<29><31><4><129><159>0<129><156>0<129><153><160
>>>> <129><150><160><129><147><134><129><144>ldap://ldapd1.domain.com:389/CN=
>>>     EAP-Message =
>>> Root%20TEST%20CA%202?certificateRevocationList?base0<13><6><9>*<134>H
>>> <134><247><13><1><1><5><5><0><3>
>>> <130><1><1><0>}<166><195>-<168><146>J<253><155><202><29><176><29>U<224><203>
>>> <151><219><248>o<191>o<198>4<4>l<196>V<158>/<216><201><226><13>\;^<1>#h<0><2
>>> 6><28><249><197><234><163><176><230><207><132>M<245><193><168>Y<200><231>-w<
>>> 160><127><7><166><139><141>k<151>i<231><1<153><248>R<3><23><240><29><209><17
>>>> <135><172><143><216><11><238>%<237>jUT<208><239><228><186><168><235><162><2
>>> 18><184><23><141><131>9<157>Pd<176>}=<26><225>u@<142>
>>> <209><8>l<229><248>t><207>.<173><250><19>=c
>>>     EAP-Message =
>>> <250><132><139>@<181><150><173><174>v<191><192><204><215><181><139><183><240
>>>> ]W.<2>a<243>%f<16><152><28>S<179><25><210>QL<250><2><213>T<151>=<21><221>e<
>>> 141>]<205>d<20>k<196><220>X<155><239><153><13><2><225><169><253><170><193>V<
>>> 155><5><19>o<164><170><222><28><244><132><246><<9><195><173><167>+<27><172><
>>> 195>|<128><235><154><195>3q<171>K<249>a<203><132>(<199><146>mJ<194><1><234><
>>> 9>R<155>;Is<255><156><130>X<169><20><243>.<135>cze<196><17><148><16><0><0><1
>>> 30><0><128><150><251>j}<144><131><<23>?<170>un<152><15>:x<135><243><214><136
>>>> <235><150>J:h<204>u(<189>sR<241><10><157><131><176><144><145><169>po<21><25
>>> 5><181>b<160>Y<236><135><243><228>^<149><127><6>$~<156><127>{<206>/<186><31>
>>> H<191><31><201>8<167>><23><176><8><243><13><25><31><169><19><15><175><6>Qy5<
>>> 22>P<165><173>r<220><184>h<195>Z7<140><248>31C<142><138>%EG<169>4-!?><201>,<
>>> 196>g{+\|<211>
>>>     EAP-Message =
>>> Ak<227><241><183>\<15><0><0><130><0><128><134><137>h<184><19>w<7>b7ai+<26><2
>>> 26><202>O<155>s_N<8><202><208><232><243><6><160><153><251>T<9>:<3><151><224>
>>> <19><213><30><200>Nsjd<222>/j<208>%<10><215><213><211><240><150>2 at L}<15>H{(s
>>> <164><180><225><25><28>8<215><184><183>M<233><243>l<20>b<8><23><173><6><251>
>>> <176><6><156><246>m<6><244><7><246><29><217><216>l*0<152>R<184><30><17>H<133
>>>> d<217><233><237><199>"<217><4><139>i<22><2><27><166>bH-<136><181>DI<135>8<2
>>> 0><3><1><0><1><1><22><3><1><0>0L,H<136><133><149>5K<171><157>A<208><a<247><2
>>> 26><157>Dac[<197>=<177><193><8>&<231><216><175><200><23>v<241>z<250><29>_<21
>>>> h<30>z<17><22><169><188><170><148>
>>>     Message-Authenticator = <168>)F<184>T<230>;9<242><210><14>X<17><232><163><145>
>>> 
>>> Fri Apr 23 11:35:58 2010: DEBUG: Handling request with Handler 'User-Name=/host\/.+/, DeviceType="Wlan",DeviceGroup="global"'
>>> Fri Apr 23 11:35:58 2010: DEBUG: Rewrote user name to host1.domain.com at unknown
>>> Fri Apr 23 11:35:58 2010: DEBUG:  Deleting session for host/host1.domain.com, 10.37.196.121, 29
>>> Fri Apr 23 11:35:58 2010: DEBUG: Handling with Radius::AuthFILE:EapTLSDevice
>>> Fri Apr 23 11:35:58 2010: DEBUG: Handling with EAP: code 2, 9, 1211, 13
>>> Fri Apr 23 11:35:58 2010: DEBUG: Response type 13
>>> Fri Apr 23 11:35:58 2010: DEBUG: Certificate Subject Name is/DC=com/DC=DOMAIN/O=TEST/CN=host1.domain.com
>>> Fri Apr 23 11:35:58 2010: DEBUG: Matched certificate CN host1.domain.com with User-Name host1.domain.com at unknown or identity host/host1.domain.com
>>> Fri Apr 23 11:35:58 2010: DEBUG: Radius::AuthFILE looks for match with host1.domain.com [host/host1.domain.com]
>>> Fri Apr 23 11:35:58 2010: DEBUG: Radius::AuthFILE REJECT: No such user: host1.domain.com [host/host1.domain.com]
>>> Fri Apr 23 11:35:58 2010: DEBUG: Radius::AuthFILE looks for match with DEFAULT [host/host1.domain.com]
>>> Fri Apr 23 11:35:58 2010: DEBUG: Radius::AuthFILE ACCEPT: : DEFAULT [host/host1.domain.com]
>>> Fri Apr 23 11:35:58 2010: DEBUG: EAPTLS_CertificateVerifyHook matchDN: host1.domain.com
>>> Fri Apr 23 11:35:58 2010: DEBUG: EAPTLS_CertificateVerifyHook issuer: /CN=Server TEST CA 2
>>> Fri Apr 23 11:35:58 2010: DEBUG: EAPTLS_CertificateVerifyHook EKU:clientAuth
>>> Fri Apr 23 11:35:58 2010: ERR: EAP TLS error: -1, 1, 8640, 0,  14579: 1 -error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac
>>> Fri Apr 23 11:35:58 2010: DEBUG: EAP result: 1, EAP TLS error
>>> Fri Apr 23 11:35:58 2010: DEBUG: AuthBy FILE result: REJECT, EAP TLS error
>>> Fri Apr 23 11:35:58 2010: INFO: Access rejected for host1.domain.com at unknown: EAP TLS error
>>> Fri Apr 23 11:35:58 2010: DEBUG: Packet dump:
>>> *** Sending to 10.7.96.21 port 32768 ....
>>> Code:       Access-Reject
>>> Identifier: 195
>>> Authentic: <230><254>)<134>o<193><183><12><144><8><157><131><172><4><213><209>
>>> Attributes:
>>>     EAP-Message = <4><9><0><4>
>>>     Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>>     Reply-Message = "Request Denied"
>>> 
>>> 
>>> 
>>> Regards
>>> Markus
>>> 
>>> 
>>> 
>>> ----- Original Message ----- From: "Hugh Irvine" <hugh at open.com.au>
>>> To: "Markus Moeller" <huaraz at moeller.plus.com>
>>> Cc: <radiator at open.com.au>
>>> Sent: Saturday, April 24, 2010 12:27 AM
>>> Subject: Re: [RADIATOR] EAP TLS and XP machine authentication
>>> 
>>> 
>>> 
>>> Hello Markus -
>>> 
>>> Can you please send me a copy of the configuration file and a more complete trace 4 debug showing more of what is happening?
>>> 
>>> thanks and regards
>>> 
>>> Hugh
>>> 
>>> 
>>> On 23 Apr 2010, at 19:33, Markus Moeller wrote:
>>> 
>>>> Hi,
>>>> 
>>>> I try to use 802.1x with XP and machine authentication.  I can see the radius request with username host/<fqdn> and then I see the radius server failing because the CN nor the subjectaltname(= <fqdn> only) match the username.
>>>> 
>>>> Fri Apr 23 09:59:40 2010: DEBUG: Response type 13
>>>> Fri Apr 23 09:59:40 2010: DEBUG: Certificate Subject Name is /DC=com/DC=DOMAIN/O=TEST/CN=host1.domain.com
>>>> Fri Apr 23 09:59:40 2010: DEBUG: Checking subjectAltName type 2, value host1.domain.com
>>>> Fri Apr 23 09:59:40 2010: INFO: EAP TLS client certificate subject /DC=com/DC=DOMAIN/O=TEST/CN=host1.domain.com does not match
>>>> user name host/host1.domain.com at unknown or identity host/host1.domain.com
>>>> Fri Apr 23 09:59:40 2010: INFO: EAP TLS certificate verification failed: application verification failure,  14579: 1 - error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
>>>> 
>>>> 
>>>> What is the right way to configure Radiator or how should the certificate be created ?
>>>> 
>>>> Thank you
>>>> Markus
>>>> _______________________________________________
>>>> radiator mailing list
>>>> radiator at open.com.au
>>>> http://www.open.com.au/mailman/listinfo/radiator
>>> 
>>> 
>>> 
>>> NB:
>>> 
>>> Have you read the reference manual ("doc/ref.html")?
>>> Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
>>> Have you had a quick look on Google (www.google.com)?
>>> Have you included a copy of your configuration file (no secrets),
>>> together with a trace 4 debug showing what is happening?
>>> 
>>> -- 
>>> Radiator: the most portable, flexible and configurable RADIUS server
>>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>>> Includes support for reliable RADIUS transport (RadSec),
>>> and DIAMETER translation agent.
>>> -
>>> Nets: internetwork inventory and management - graphical, extensible,
>>> flexible with hardware, software, platform and database independence.
>>> -
>>> CATool: Private Certificate Authority for Unix and Unix-like systems.
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>> 
>> 
>> 
>> NB:
>> 
>> Have you read the reference manual ("doc/ref.html")?
>> Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
>> Have you had a quick look on Google (www.google.com)?
>> Have you included a copy of your configuration file (no secrets),
>> together with a trace 4 debug showing what is happening?
>> 
>> -- 
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>> Includes support for reliable RADIUS transport (RadSec),
>> and DIAMETER translation agent.
>> -
>> Nets: internetwork inventory and management - graphical, extensible,
>> flexible with hardware, software, platform and database independence.
>> -
>> CATool: Private Certificate Authority for Unix and Unix-like systems.
>> 
>> 
>> 
>> 
>> 
>> 
> 
> 
> 
> NB:
> 
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
> 
> -- 
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> Includes support for reliable RADIUS transport (RadSec),
> and DIAMETER translation agent.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
> 
> 
> 
> 
> 
> 



NB: 

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets), 
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.





More information about the radiator mailing list