Hi,
Ok, thanks for support, here is debugging stuff (tried to make it the less noisy as possible):Subject: Re: CN check against User Name - EAP-TLS From: Michael Griego <[EMAIL PROTECTED]> Date: Fri, 18 Jun 2004 05:55:21 -0500
Do you have any debugging output to show for when it should allow the user and when it shouldn't allow the user?
--Mike
1. From radiusd.log
Fri Jun 18 15:06:34 2004 : Info: rlm_eap_tls: Length Included
Fri Jun 18 15:06:34 2004 : Error: TLS_accept:error in SSLv3 read client certificate A
Fri Jun 18 15:06:34 2004 : Info: rlm_eap_tls: Received EAP-TLS ACK message
Fri Jun 18 15:06:35 2004 : Info: rlm_eap_tls: Received EAP-TLS First Fragment of the message
Fri Jun 18 15:06:35 2004 : Auth: rlm_eap_tls: Certificate CN (Surname Name) does not match specified value (nimp)!
Fri Jun 18 15:06:35 2004 : Info: (other): SSL negotiation finished successfully Fri Jun 18 15:06:35 2004 : Info: rlm_eap_tls: Received EAP-TLS ACK message
Fri Jun 18 15:06:35 2004 : Auth: Login OK: [nimp/<no User-Password attribute>] (from client HP2626 port 3 cli 00-d0-59-7a-b6-81)
2. From replydetail:
Packet-Type = Access-Accept
Fri Jun 18 15:06:35 2004
Framed-IP-Address = 255.255.255.254
Framed-MTU = 576
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-Compression = Van-Jacobson-TCP-IP
MS-MPPE-Recv-Key =
0x459dbc226905e1ce46366fe24b1a0affac11b941c2bf7a28efb785299a652143
MS-MPPE-Send-Key =
0x6429091bd04c8d083fd38784facb13cdf002376246167642da105cc6bfa60b01
EAP-Message = 0x03790004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "nimp"*************************
Here we can see that the user "nimp" is unknow from the users files and is not matching with the CN of the certificate he supplied. However freeradius accept him and use the default account in the users file. (there is something strange with the ssl error, I can't deal with this)
Now a login attempt with the right username (ie equals the CN):
1. From radiusd.log
Fri Jun 18 15:36:04 2004 : Info: rlm_eap_tls: Length Included
Fri Jun 18 15:36:04 2004 : Error: TLS_accept:error in SSLv3 read client certificate A Fri Jun 18 15:36:04 2004 : Info: rlm_eap_tls: Received EAP-TLS ACK message
Fri Jun 18 15:36:04 2004 : Info: rlm_eap_tls: Received EAP-TLS First Fragment of the message
Fri Jun 18 15:36:04 2004 : Info: (other): SSL negotiation finished successfully Fri Jun 18 15:36:04 2004 : Info: rlm_eap_tls: Received EAP-TLS ACK message
Fri Jun 18 15:36:04 2004 : Auth: Login OK: [Surname Name/<no User-Password attribute>] (from client HP2626 port 3 cli 00-d0-59-7a-b6-81)
2. From replydetail:
Packet-Type = Access-Accept
Fri Jun 18 15:36:04 2004
Reply-Message = "Hello"
MS-MPPE-Recv-Key =
0xaae75fffd314a20444df5348b008290cbeb5c73935a110fdfdd5b978d4af102e
MS-MPPE-Send-Key =
0x016156318c111b228b0450f01d614609bb0b38c3aa92840edbf28a63a0182b14
EAP-Message = 0x038b0004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "Surname Name"
*************************
And finally a login attempt with a wrong certificate who is correctly rejected:
Fri Jun 18 15:54:00 2004 : Info: rlm_eap_tls: Length Included
Fri Jun 18 15:54:00 2004 : Error: TLS_accept:error in SSLv3 read client certificate A Fri Jun 18 15:54:00 2004 : Info: rlm_eap_tls: Received EAP-TLS ACK message
Fri Jun 18 15:54:00 2004 : Info: rlm_eap_tls: Received EAP-TLS First Fragment of the message
Fri Jun 18 15:54:00 2004 : Error: --> verify error:num=20:unable to get local issuer certificate Fri Jun 18 15:54:00 2004 : Auth: rlm_eap_tls: Certificate CN (test) does not match specified value (Surname Name)!
Fri Jun 18 15:54:00 2004 : Error: TLS Alert write:fatal:unknown CA Fri Jun 18 15:54:00 2004 : Error: TLS_accept:error in SSLv3 read client certificate B Fri Jun 18 15:54:00 2004 : Error: rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails.
Fri Jun 18 15:54:00 2004 : Info: rlm_eap_tls: Received EAP-TLS ACK message
Fri Jun 18 15:54:00 2004 : Auth: Login incorrect: [Surname Name/<no User-Password attribute>] (from client HP2626 port 3 cli 00-d0-59-7a-b6-81)
Am I missing something? Do you need more or/and different output? thanks
On Fri, 2004-06-18 at 05:34, pouet wrote:
Hi,
I try to use the "check_cert_cn = %{User-Name}" option in the tls section of eap.conf. It's not working and still the user's certificate is ok, freeradius accept him whatever he typed in the User-Name field who is responded after an eap-request-ID message. Is there here someone who is using this option with more luck? My goal is to give differents privilege to users in function of their CN (now it is CN, but DN or mail adress are possible alternative?), for this freeradius must match a user name in the users file and to make impossible for a trusted user (who own a good certificate for the network) to use privilege of another user, I must use this option. Tell me if i'm wrong on this.
I have searched but only found an old patch (didn't try it) from Michael Griego on Nov2003 and an unanswered message from Anthony Lopez on May 2004. Any clue?
thanks
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
