username matching CN problems

Anthony Lopez Wed, 12 May 2004 23:08:18 -0700

Hey Everyone,

I have eap.conf configured with

check_cert_cn = %{User-Name}

But even if the username is different than the CN the user still gets access-accepted.

Here are some clips of my debug show that the names don't match

Mon May 10 17:47:34 2004 : Info: --> User-Name = bob
Mon May 10 17:47:34 2004 : Info: --> BUF-Name = b5 root
Mon May 10 17:47:34 2004 : Info: --> subject = 
/C=CA/ST=Ontario/L=Toronto/O=lab2/OU=lab2 wireless/CN=b5 root
Mon May 10 17:47:34 2004 : Info: --> issuer  = 
/C=CA/ST=Ontario/L=Toronto/O=lab2/OU=lab2 wireless/CN=b5 root
Mon May 10 17:47:34 2004 : Info: --> verify return:1
Mon May 10 17:47:34 2004 : Debug: radius_xlat:  'bob'
Mon May 10 17:47:34 2004 : Debug:     rlm_eap_tls: checking certificate CN (tony) with 
xlat'ed value (bob)
Mon May 10 17:47:34 2004 : Auth: rlm_eap_tls: Certificate CN (tony) does not match 
specified value (bob)!
Mon May 10 17:47:34 2004 : Info: chain-depth=0,
Mon May 10 17:47:34 2004 : Info: error=0
Mon May 10 17:47:34 2004 : Info: --> User-Name = bob
Mon May 10 17:47:34 2004 : Info: --> BUF-Name = tony
Mon May 10 17:47:34 2004 : Info: --> subject = 
/C=CA/ST=Ontario/L=Toronto/O=lab2/OU=lab2 wireless/CN=tony
Mon May 10 17:47:34 2004 : Info: --> issuer  = 
/C=CA/ST=Ontario/L=Toronto/O=lab2/OU=lab2 wireless/CN=b5 root
Mon May 10 17:47:34 2004 : Info: --> verify return:0

And here is more clips from the same debug when the access is accepted


Mon May 10 17:47:34 2004 : Debug:   Processing the authorize section of 
radiusd.conf
Mon May 10 17:47:34 2004 : Debug: modcall: entering group authorize for request 3
Mon May 10 17:47:34 2004 : Debug:   modsingle[authorize]: calling files (rlm_files) 
for request 3
Mon May 10 17:47:34 2004 : Debug:     users: Matched bob at 68
Mon May 10 17:47:34 2004 : Debug:   modsingle[authorize]: returned from files 
(rlm_files) for request 3
Mon May 10 17:47:34 2004 : Debug:   modcall[authorize]: module "files" returns ok for 
request 3
Mon May 10 17:47:34 2004 : Debug: modcall: group authorize returns ok for request 3
Mon May 10 17:47:34 2004 : Debug:   rad_check_password:  Found Auth-Type EAP
Mon May 10 17:47:34 2004 : Debug: auth: type "EAP"
Mon May 10 17:47:34 2004 : Debug:   Processing the authenticate section of radiusd.conf
Mon May 10 17:47:34 2004 : Debug: modcall: entering group authenticate for request 3
Mon May 10 17:47:34 2004 : Debug:   modsingle[authenticate]: calling eap (rlm_eap) for 
request 3
Mon May 10 17:47:34 2004 : Debug:   rlm_eap: Request found, released from the list
Mon May 10 17:47:34 2004 : Debug:   rlm_eap: EAP/tls
Mon May 10 17:47:34 2004 : Debug:   rlm_eap: processing type tls
Mon May 10 17:47:34 2004 : Debug:   rlm_eap_tls: Authenticate
Mon May 10 17:47:34 2004 : Debug:   rlm_eap_tls: processing TLS
Mon May 10 17:47:34 2004 : Info: rlm_eap_tls:  Length Included
Mon May 10 17:47:34 2004 : Debug:   eaptls_verify returned 11
Mon May 10 17:47:34 2004 : Debug:   rlm_eap_tls: <<< TLS 1.0 Handshake [length 026c], 
Certificate
Mon May 10 17:47:34 2004 : Info: chain-depth=1,
Mon May 10 17:47:34 2004 : Info: error=0
Mon May 10 17:47:34 2004 : Info: --> User-Name = bob
Mon May 10 17:47:34 2004 : Info: --> BUF-Name = b5 root
Mon May 10 17:47:34 2004 : Info: --> subject = 
/C=CA/ST=Ontario/L=Toronto/O=lab2/OU=lab2 wireless/CN=b5 root
Mon May 10 17:47:34 2004 : Info: --> issuer  = 
/C=CA/ST=Ontario/L=Toronto/O=lab2/OU=lab2 wireless/CN=b5 root
Mon May 10 17:47:34 2004 : Info: --> verify return:1
Mon May 10 17:47:34 2004 : Debug: radius_xlat:  'bob'
Mon May 10 17:47:34 2004 : Debug:     rlm_eap_tls: checking certificate CN (tony) with 
xlat'ed value (bob)
Mon May 10 17:47:34 2004 : Auth: rlm_eap_tls: Certificate CN (tony) does not match 
specified value (bob)!
Mon May 10 17:47:34 2004 : Info: chain-depth=0,
Mon May 10 17:47:34 2004 : Info: error=0
Mon May 10 17:47:34 2004 : Info: --> User-Name = bob
Mon May 10 17:47:34 2004 : Info: --> BUF-Name = tony
Mon May 10 17:47:34 2004 : Info: --> subject = 
/C=CA/ST=Ontario/L=Toronto/O=lab2/OU=lab2 wireless/CN=tony
Mon May 10 17:47:34 2004 : Info: --> issuer  = 
/C=CA/ST=Ontario/L=Toronto/O=lab2/OU=lab2 wireless/CN=b5 root
Mon May 10 17:47:34 2004 : Info: --> verify return:0
Mon May 10 17:47:34 2004 : Info:     TLS_accept: SSLv3 read client certificate A
Mon May 10 17:47:34 2004 : Debug:   rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], 
ClientKeyExchange
Mon May 10 17:47:34 2004 : Info:     TLS_accept: SSLv3 read client key exchange A
Mon May 10 17:47:34 2004 : Debug:   rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], 
CertificateVerify
Mon May 10 17:47:34 2004 : Info:     TLS_accept: SSLv3 read certificate verify A
Mon May 10 17:47:34 2004 : Debug:   rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 
0001]
Mon May 10 17:47:34 2004 : Debug:   rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], 
Finished
Mon May 10 17:47:34 2004 : Info:     TLS_accept: SSLv3 read finished A
Mon May 10 17:47:34 2004 : Debug:   rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 
0001]
Mon May 10 17:47:34 2004 : Info:     TLS_accept: SSLv3 write change cipher spec A
Mon May 10 17:47:34 2004 : Debug:   rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], 
Finished
Mon May 10 17:47:34 2004 : Info:     TLS_accept: SSLv3 write finished A
Mon May 10 17:47:34 2004 : Info:     TLS_accept: SSLv3 flush data
Mon May 10 17:47:34 2004 : Info:     (other): SSL negotiation finished successfully
Mon May 10 17:47:34 2004 : Debug: SSL Connection Established
Mon May 10 17:47:34 2004 : Debug:   eaptls_process returned 13
Mon May 10 17:47:34 2004 : Debug:   modsingle[authenticate]: returned from eap 
(rlm_eap) for request 3
Mon May 10 17:47:34 2004 : Debug:   modcall[authenticate]: module "eap" returns 
handled for request 3
Mon May 10 17:47:34 2004 : Debug: modcall: group authenticate returns handled for 
request 3
Sending Access-Challenge of id 138 to 192.168.10.178:1024
       EAP-Message = 
0x010600350d800000002b1403010001011603010020372c5d82bc3d9eac2284b1b90f70dae53d50d312ec1ab541fabe21ef00453f89
       Message-Authenticator = 0x00000000000000000000000000000000
       State = 0xbecfa590d663509895263c5f4af07559
Mon May 10 17:47:34 2004 : Debug: Finished request 3
Mon May 10 17:47:34 2004 : Debug: Going to the next request
Mon May 10 17:47:34 2004 : Debug: Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.10.178:1024, id=139, length=185
       Framed-MTU = 1466
       NAS-IP-Address = 192.168.10.178
       NAS-Identifier = "lab2"
       User-Name = "bob"
       Service-Type = Framed-User
       NAS-Port = 256
       NAS-Port-Type = Ethernet
       NAS-Port-Id = "wl0"
       Called-Station-Id = "00-0d-93-7d-6b-7d"
       Calling-Station-Id = "00-0c-41-d4-ee-5b"
       Connect-Info = "CONNECT Ethernet 54Mbps Half duplex"
       State = 0xbecfa590d663509895263c5f4af07559
       EAP-Message = 0x020600060d00
       Message-Authenticator = 0xe574d16345caff97b668ff9a038b6c8f
Mon May 10 17:47:34 2004 : Debug:   Processing the authorize section of radiusd.conf
Mon May 10 17:47:34 2004 : Debug: modcall: entering group authorize for request 4
Mon May 10 17:47:34 2004 : Debug:   modsingle[authorize]: calling files (rlm_files) 
for request 4
Mon May 10 17:47:34 2004 : Debug:     users: Matched bob at 68
Mon May 10 17:47:34 2004 : Debug:   modsingle[authorize]: returned from files 
(rlm_files) for request 4
Mon May 10 17:47:34 2004 : Debug:   modcall[authorize]: module "files" returns ok for 
request 4
Mon May 10 17:47:34 2004 : Debug: modcall: group authorize returns ok for request 4
Mon May 10 17:47:34 2004 : Debug:   rad_check_password:  Found Auth-Type EAP
Mon May 10 17:47:34 2004 : Debug: auth: type "EAP"
Mon May 10 17:47:34 2004 : Debug:   Processing the authenticate section of radiusd.conf
Mon May 10 17:47:34 2004 : Debug: modcall: entering group authenticate for request 4
Mon May 10 17:47:34 2004 : Debug:   modsingle[authenticate]: calling eap (rlm_eap) for 
request 4
Mon May 10 17:47:34 2004 : Debug:   rlm_eap: Request found, released from the list
Mon May 10 17:47:34 2004 : Debug:   rlm_eap: EAP/tls
Mon May 10 17:47:34 2004 : Debug:   rlm_eap: processing type tls
Mon May 10 17:47:34 2004 : Debug:   rlm_eap_tls: Authenticate
Mon May 10 17:47:34 2004 : Debug:   rlm_eap_tls: processing TLS
Mon May 10 17:47:34 2004 : Info: rlm_eap_tls: Received EAP-TLS ACK message
Mon May 10 17:47:34 2004 : Debug:   rlm_eap_tls: ack handshake is finished
Mon May 10 17:47:34 2004 : Debug:   eaptls_verify returned 3
Mon May 10 17:47:34 2004 : Debug:   eaptls_process returned 3
Mon May 10 17:47:34 2004 : Debug:   rlm_eap: Freeing handler
Mon May 10 17:47:34 2004 : Debug:   modsingle[authenticate]: returned from eap 
(rlm_eap) for request 4
Mon May 10 17:47:34 2004 : Debug:   modcall[authenticate]: module "eap" returns ok for 
request 4
Mon May 10 17:47:34 2004 : Debug: modcall: group authenticate returns ok for request 4
Mon May 10 17:47:34 2004 : Auth: Login OK: [bob] (from client lab2 port 256 cli 
00-0c-41-d4-ee-5b)
Sending Access-Accept of id 139 to 192.168.10.178:1024
       MS-MPPE-Recv-Key = 
0x8ce2a4dbe7911cf44a6c904dd219cc77b9e653e99a4c6629d268bec9dcd7cc4b
       MS-MPPE-Send-Key = 
0xe9c23784ea1bbc9b3a9a054d33058aac0b7c96b092aef05dd8d913e330dd1790
       EAP-Message = 0x03060004
       Message-Authenticator = 0x00000000000000000000000000000000
       User-Name = "bob"

Can anyone please help with this.

Thanks,
Tony

- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

username matching CN problems

Reply via email to