[RADIATOR] WLAN EAP-TLS auth issue
Hugh Irvine
hugh at open.com.au
Thu Nov 4 17:35:52 CDT 2010
Hello Markus -
Because most people want it enabled.
regards
Hugh
On 5 Nov 2010, at 06:45, Markus Moeller wrote:
> That solved it. Why is this not the default ?
>
> Thank you
> Markus
>
> ----- Original Message -----
> From: "Sami Keski-Kasari" <samikk at archred.com>
> To: "Markus Moeller" <huaraz at moeller.plus.com>; <radiator at open.com.au>
> Sent: Wednesday, November 03, 2010 9:07 PM
> Subject: Re: [RADIATOR] WLAN EAP-TLS auth issue
>
>
>> Have you tried EAPTLS_SessionResumption 0?
>>
>> --
>> Sami
>>
>> "Markus Moeller" <huaraz at moeller.plus.com> wrote:
>>
>>> BTW I use version 4.7.
>>> ----- Original Message -----
>>> From: Markus Moeller
>>> To: radiator at open.com.au
>>> Sent: Wednesday, November 03, 2010 8:04 PM
>>> Subject: WLAN EAP-TLS auth issue
>>>
>>>
>>> Hi
>>>
>>> I am testing EAP-TLS auth with Radiator and came across the following.
>>> I have two SSIDs SSID-1 and SSID-2 and want to restrict access to
>>> SSID-1, SSID-2 based on the certificate issue. e.g. on SSID-1 I allow
>>> certs from issue COMP-A and on SSID2 from COMP-B. What I notice is that
>>> once a user lets say authenticates to SSID-1 successfully and the
>>> disconnects and connects to SSID-2 the EAPTLS Hook is not called (see
>>> log example). I also see the the server is not sending the CA to the
>>> client. Can it be that it is not seen as a new session ?
>>>
>>> I have the following configuration.
>>>
>>>
>>> # EAPTLS authentication
>>> <AuthBy FILE>
>>> Identifier EapTLS
>>> # the file is used to check usernames (assuming EAP-TLS certificate
>>> checks pass): just contains DEFAULT
>>> Filename %D/wlan_users
>>> EAPType TLS
>>> # WLAN Additional Certificate Check
>>> EAPTLS_CertificateVerifyHook file:"%D/cert_check.pl"
>>> # WLAN root CAs
>>> EAPTLS_CAFile %D/certs/CAa.pem
>>>
>>> EAPTLS_CertificateType PEM
>>> # Radiator Cert
>>> EAPTLS_CertificateFile %D/certs/server_cert.pem
>>> # Radiator private key
>>> EAPTLS_PrivateKeyFile %D/certs/server_cert.key
>>>
>>> EAPTLS_MaxFragmentSize 1000
>>>
>>> EAPTLS_CRLCheck
>>> EAPTLS_CRLFile %D/certs/crls/Root_CA.pem
>>>
>>> AutoMPPEKeys
>>> </AuthBy>
>>>
>>>
>>>
>>> sub {
>>>
>>> use Crypt::OpenSSL::X509;
>>> &main::log($main::LOG_DEBUG,"cert_check: enter hook");
>>>
>>> # Pointer to request structure
>>> my $p0 = $_[0]; # $matchdn
>>> my $p1 = $_[1]; # $x509_store_ctx
>>> my $p2 = $_[2]; # $cert
>>> my $p3 = $_[3]; # $subject_name
>>> my $p4 = $_[4]; # $subject
>>> my $p = $_[5]; # $p Radius Request
>>>
>>> my $issuer_name =
>>> &Net::SSLeay::X509_NAME_oneline(&Net::SSLeay::X509_get_issuer_name($p2));
>>>
>>> my $x509 =
>>> Crypt::OpenSSL::X509->new_from_string(&Net::SSLeay::PEM_get_string_X509($p2));
>>> my $extensions = &Crypt::OpenSSL::X509::extensions_by_name($x509);
>>>
>>> my @extendedKeyUsage =
>>> &Crypt::OpenSSL::X509::Extension::extKeyUsage($extensions->{extendedKeyUsage});
>>>
>>> my $eku_req_client_auth = grep { /clientAuth/ } ( @extendedKeyUsage );
>>> my $eku_req_client_any = grep { /anyExtendedKeyUsage/ } (
>>> @extendedKeyUsage );
>>>
>>>
>>> &main::log($main::LOG_DEBUG,"cert_check: matchDN: $p0");
>>> &main::log($main::LOG_DEBUG,"cert_check: issuer: $issuer_name");
>>> &main::log($main::LOG_DEBUG,"cert_check: Extended Key Usage strings
>>> found in certificate: " . (join " & ", @extendedKeyUsage) );
>>>
>>> # User certificate CA strings:
>>> user_CA = 'CN=User CA, OU=Test, C=UK';
>>>
>>> # bail out if cannot determine the extendedKeyUsage for this
>>> certificate:
>>> if ( $eku_req_client_auth == 0 && $eku_req_client_any == 0 ) {
>>> &main::log($main::LOG_ERR,"cert_check: certificate presented does not
>>> have required values present in Extended Key Usage field.");
>>> return undef;
>>> }
>>>
>>> # test each issuer string (which is valid for this ssid) against
>>> # the issuer string in the certificate in the request:
>>> my $match = 0;
>>>
>>> if ($issuer_name =~ /^$user_CA$/) {
>>> $match++;
>>> &main::log($main::LOG_DEBUG,"cert_check: Successful match for
>>> issuer_name [$issuer_name] with issuer_string [$user_CA]");
>>> }
>>>
>>>
>>> if ( $match == 0 ) {
>>> &main::log($main::LOG_ERR,"cert_check: invalid certificate issuer
>>> [$issuer_name] in request.");
>>> return undef;
>>> }
>>>
>>> }
>>>
>>>
>>> Wed Nov 3 09:32:20 2010: DEBUG: Packet dump:
>>> *** Received from 191.169.1.21 port 32768 ....
>>> Code: Access-Request
>>> Identifier: 153
>>> Authentic: +R<20><209><177><167>5/<246>y%<135><133><134><191><173>
>>> Attributes:
>>> User-Name = "user1 at TEST.UK"
>>> Calling-Station-Id = "00-22-fa-aa-bb-cc"
>>> Called-Station-Id = "00-1a-e3-ab-cd-ed:SSID-1"
>>> NAS-Port = 29
>>> NAS-IP-Address = 191.169.1.21
>>> NAS-Identifier = "Controller1"
>>> Airespace-WLAN-Id = 7
>>> Service-Type = Framed-User
>>> Framed-MTU = 1300
>>> NAS-Port-Type = Wireless-IEEE-802-11
>>> Tunnel-Type = 0:VLAN
>>> Tunnel-Medium-Type = 0:802
>>> Tunnel-Private-Group-ID = 662
>>> EAP-Message = <2><3><0><18><1>user1 at TEST.UK
>>> Message-Authenticator =
>>> L><159><3>4<221><139>8<214>g<237><153><22>v<200><197>
>>>
>>> Wed Nov 3 09:32:20 2010: DEBUG: Handling request with Handler
>>> 'DeviceClass="WLAN"'
>>> Wed Nov 3 09:32:20 2010: DEBUG: Deleting session for user1 at TEST.UK,
>>> 191.169.1.21, 29
>>> Wed Nov 3 09:32:20 2010: DEBUG: Handling with Radius::AuthFILE: EapTLS
>>> Wed Nov 3 09:32:20 2010: DEBUG: Handling with EAP: code 2, 3, 18, 1
>>> Wed Nov 3 09:32:20 2010: DEBUG: Response type 1
>>> Wed Nov 3 09:32:20 2010: DEBUG: EAP result: 3, EAP TLS Challenge
>>> Wed Nov 3 09:32:20 2010: DEBUG: AuthBy FILE result: CHALLENGE, EAP TLS
>>> Challenge
>>> Wed Nov 3 09:32:20 2010: DEBUG: Access challenged for user1 at TEST.UK:
>>> EAP TLS Challenge
>>> Wed Nov 3 09:32:20 2010: DEBUG: Packet dump:
>>> *** Sending to 191.169.1.21 port 32768 ....
>>> Code: Access-Challenge
>>> Identifier: 153
>>> Authentic: <213>o<31><153>j1<190><209>Yu&<238><166><210>_<16>
>>> Attributes:
>>> EAP-Message = <1><4><0><6><13>
>>> Message-Authenticator =
>>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>>
>>> Wed Nov 3 09:32:21 2010: DEBUG: Packet dump:
>>> *** Received from 191.169.1.21 port 32768 ....
>>> Code: Access-Request
>>> Identifier: 154
>>> Authentic: >k<16>#p<154><1><245><194>d<165><131><189><143><237><142>
>>> Attributes:
>>> User-Name = "user1 at TEST.UK"
>>> Calling-Station-Id = "00-22-fa-aa-bb-cc"
>>> Called-Station-Id = "00-1a-e3-ab-cd-ed:SSID-1"
>>> NAS-Port = 29
>>> NAS-IP-Address = 191.169.1.21
>>> NAS-Identifier = "Controller1"
>>> Airespace-WLAN-Id = 7
>>> Service-Type = Framed-User
>>> Framed-MTU = 1300
>>> NAS-Port-Type = Wireless-IEEE-802-11
>>> Tunnel-Type = 0:VLAN
>>> Tunnel-Medium-Type = 0:802
>>> Tunnel-Private-Group-ID = 662
>>> EAP-Message =
>>> <2><4><0>W<13><128><0><0><0>M<22><3><1><0>H<1><0><0>D<3><1>L<209>,%<239><146><242><12><235><234>.'<3>h<6><31><178>Y3<155><194><158><177>A<142><239><188>T}<202>J&<0><0><22><0><4><0><5><0><10><0><9><0>d<0>b<0><3><0><6><0><19><0><18><0>c<1><0><0><5><255><1><0><1><0>
>>> Message-Authenticator =
>>> Pg<184><167>vMr<0><24>D<189><210><248>a<241><191>
>>>
>>> Wed Nov 3 09:32:21 2010: DEBUG: Handling request with Handler
>>> 'DeviceClass="WLAN"'
>>> Wed Nov 3 09:32:21 2010: DEBUG: Deleting session for user1 at TEST.UK,
>>> 191.169.1.21, 29
>>> Wed Nov 3 09:32:21 2010: DEBUG: Handling with Radius::AuthFILE: EapTLS
>>> Wed Nov 3 09:32:21 2010: DEBUG: Handling with EAP: code 2, 4, 87, 13
>>> Wed Nov 3 09:32:21 2010: DEBUG: Response type 13
>>> Wed Nov 3 09:32:21 2010: DEBUG: EAP result: 3, EAP TLS Challenge
>>> Wed Nov 3 09:32:21 2010: DEBUG: AuthBy FILE result: CHALLENGE, EAP TLS
>>> Challenge
>>> Wed Nov 3 09:32:21 2010: DEBUG: Access challenged for user1 at TEST.UK:
>>> EAP TLS Challenge
>>> Wed Nov 3 09:32:21 2010: DEBUG: Packet dump:
>>> *** Sending to 191.169.1.21 port 32768 ....
>>> Code: Access-Challenge
>>> Identifier: 154
>>> Authentic: y<241><254>,<218>r_<188>Cx<13><222>|<229>;S
>>> Attributes:
>>> EAP-Message = <1><5><3><242><13><192><0><0><19><9><22><3><....
>>> EAP-Message = Z<23><13>111014083918Z0i1<19>0<17><6><10><9><146>.....
>>> EAP-Message = <136><11><151><141>_<172>gL<222>)<25><142><186>.....
>>> EAP-Message = ........
>>> Message-Authenticator =
>>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>>
>>> Wed Nov 3 09:32:22 2010: DEBUG: Packet dump:
>>> *** Received from 191.169.1.21 port 32768 ....
>>> Code: Access-Request
>>> Identifier: 155
>>> Authentic: <158><174><179>V<16><12><128><213><222>6M<173><201>g?<134>
>>> Attributes:
>>> User-Name = "user1 at TEST.UK"
>>> Calling-Station-Id = "00-22-fa-aa-bb-cc"
>>> Called-Station-Id = "00-1a-e3-ab-cd-ed:SSID-1"
>>> NAS-Port = 29
>>> NAS-IP-Address = 191.169.1.21
>>> NAS-Identifier = "Controller1"
>>> Airespace-WLAN-Id = 7
>>> Service-Type = Framed-User
>>> Framed-MTU = 1300
>>> NAS-Port-Type = Wireless-IEEE-802-11
>>> Tunnel-Type = 0:VLAN
>>> Tunnel-Medium-Type = 0:802
>>> Tunnel-Private-Group-ID = 662
>>> EAP-Message = <2><5><0><6><13><0>
>>> Message-Authenticator = <178>[ ,i<24>f<24><<17><176>Dx]g<164>
>>>
>>> Wed Nov 3 09:32:22 2010: DEBUG: Handling request with Handler
>>> 'DeviceClass="WLAN"'
>>> Wed Nov 3 09:32:22 2010: DEBUG: Deleting session for user1 at TEST.UK,
>>> 191.169.1.21, 29
>>> Wed Nov 3 09:32:22 2010: DEBUG: Handling with Radius::AuthFILE: EapTLS
>>> Wed Nov 3 09:32:22 2010: DEBUG: Handling with EAP: code 2, 5, 6, 13
>>> Wed Nov 3 09:32:22 2010: DEBUG: Response type 13
>>>
>> --
>> Sami
>>
>>
>
>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
More information about the radiator
mailing list