Hi,
we have another issue also related to storing data between requests. This time
we need to store something between individual sessions with tls session
resumption.
The business logic in this setup dictates that we need to pass the certicate
issuer and
policy to an external authenticator backend.
We extract the certicate issuer and policy in EAPTLS_CertificateVerifyHook and
store them in EAPContext
sub {
my $matchedcn = $_[0];
my $cert = $_[2];
my $p = $_[5];
my $context = $p->{EAPContext};
use Net::SSLeay;
use Radius::Context;
# get issuer
my $issuer =
&Net::SSLeay::X509_NAME_oneline(&Net::SSLeay::X509_get_issuer_name($cert));
&main::log($main::LOG_DEBUG, "auth-certificate.hook: Peer
certificate issuer: $issuer");
$context->{'issuer'} = $issuer;
# get policies
my $rv = Net::SSLeay::X509_get_ext_by_NID($cert, 89, -1);
if($rv>=0) {
my $ext = Net::SSLeay::X509_get_ext($cert, $rv);
my $policies = Net::SSLeay::X509V3_EXT_print($ext);
$policies =~ s/.*: //g;
chomp $policies;
&main::log($main::LOG_DEBUG, "auth-certificate.hook: Peer
certificate policies: $policies");
$context->{'policies'} = $policies;
} else {
&main::log($main::LOG_DEBUG, "auth-certificate.hook: Peer
certificate policies not found.");
}
return $matchedcn;
}
We are then able to map the issuer and policy into the request in the
respective AuthBys AuthHook
if( defined $request->{EAPContext} ) {
my $eap_context = $request->{EAPContext};
if( defined $eap_context->{'issuer'} ) {
my $issuer = $eap_context->{'issuer'};
$request->add_attr('MY-ISSUER',$issuer) ;
&main::log($main::LOG_DEBUG, "auth.hook: Peer certificate issuer:
$issuer");
}
if( defined $eap_context->{'policies'} ) {
my $policies = $eap_context->{'policies'};
$request->add_attr('MY-POLICY',$policies) ;
&main::log($main::LOG_DEBUG, "auth.hook: Peer certificate policies:
$policies");
}
}
This works well to allow us to authenticate the first session of EAP_TLS
Tue Feb 27 15:26:03 2018 897279: DEBUG: Handling request with Handler
'EAP-Message = /^.{4}\x0d/', Identifier 'TLSauth'
Tue Feb 27 15:26:03 2018 897443: DEBUG: Deleting session for
host/FOO-0013.d.XXXX.XX, UNKNOWN, 37765
Tue Feb 27 15:26:03 2018 897579: DEBUG: Handling with Radius::AuthFILE:
FILEauthTLS
Tue Feb 27 15:26:03 2018 897822: DEBUG: Handling with EAP: code 2, 79,
706, 13
Tue Feb 27 15:26:03 2018 897959: DEBUG: Response type 13
Tue Feb 27 15:26:03 2018 898479: DEBUG: Certificate Issuer Name is
/CN=XXX XXXXXX D.XXXX.XX
Tue Feb 27 15:26:03 2018 898558: DEBUG: Certificate Subject Name is
/CN=FOO-0013.d.XXXX.XX
Tue Feb 27 15:26:03 2018 898667: DEBUG: Matched certificate CN
FOO-0013.d.XXXX.XX with User-Name host/FOO-0013.d.XXXX.XX or identity
host/FOO-0013.d.XXXX.XX
Tue Feb 27 15:26:03 2018 898803: DEBUG: Reading users file
/etc/radiator/users-tls
Tue Feb 27 15:26:03 2018 898967: DEBUG: Radius::AuthFILE looks for
match with FOO-0013.d.XXXX.XX [host/FOO-0013.d.XXXX.XX]
Tue Feb 27 15:26:03 2018 899080: DEBUG: Radius::AuthFILE REJECT: No
such user: FOO-0013.d.XXXX.XX [host/FOO-0013.d.XXXX.XX]
Tue Feb 27 15:26:03 2018 899226: DEBUG: Radius::AuthFILE looks for
match with DEFAULT [host/FOO-0013.d.XXXX.XX]
Tue Feb 27 15:26:03 2018 899332: DEBUG: Radius::AuthFILE ACCEPT: :
DEFAULT [host/FOO-0013.d.XXXX.XX]
Tue Feb 27 15:26:03 2018 899424: DEBUG: auth-certificate.hook: Peer
certificate issuer: /CN=XXX XXXXXX D.XXXX.XX
Tue Feb 27 15:26:03 2018 899563: DEBUG: auth-certificate.hook: Peer
certificate policies:
1.3.6.1.4.1.311.21.8.6992180.11062261.15289225.13702945.3968342.62.3648519909.238800916
Tue Feb 27 15:26:03 2018 901521: DEBUG: EAP TLS Session accepted:
TLSv1.2 AES256-GCM-SHA384
Tue Feb 27 15:26:03 2018 901778: DEBUG: EAP result: 3, EAP TLS Challenge
Tue Feb 27 15:26:03 2018 901910: DEBUG: AuthBy FILE result: CHALLENGE,
EAP TLS Challenge
Tue Feb 27 15:26:03 2018 902077: DEBUG: postauth.hook: authprotocol: EAP
Tue Feb 27 15:26:03 2018 902165: DEBUG: Access challenged for
host/FOO-0013.d.XXXX.XX: EAP TLS Challenge
on resumption we see that resumption works
Tue Feb 27 15:27:02 2018 992212: DEBUG: Handling request with Handler
'EAP-Message = /^.{4}\x0d/', Identifier 'TLSauth'
Tue Feb 27 15:27:02 2018 992432: DEBUG: Deleting session for
host/FOO-0013.d.XXXX.XX, UNKNOWN, 37765
Tue Feb 27 15:27:02 2018 992713: DEBUG: Handling with Radius::AuthFILE:
FILEauthTLS
Tue Feb 27 15:27:02 2018 993127: DEBUG: Handling with EAP: code 2, 78,
61, 13
Tue Feb 27 15:27:02 2018 993220: DEBUG: Response type 13
Tue Feb 27 15:27:02 2018 993548: DEBUG: EAP TLS Session accepted:
TLSv1.2 AES256-GCM-SHA384
Tue Feb 27 15:27:02 2018 993743: DEBUG: EAP TLS session resumed
But the auth.hook cannot access issuer and policy in the EAPContext and later
authorization fails because they are missing.
The question is how can we store the two strings extracted in EAPTLS_CertificateVerifyHook on first connect so they are
available for use on session resumption.
Sorry about all the obfuscation. This configuration is rather complex and it
is also hard to simplify the case.
Greetings
Christian
--
Christian Kratzer CK Software GmbH
Email: c...@cksoft.de Wildberger Weg 24/2
Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden
Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart
Mobile: +49 171 1947 843 Geschaeftsfuehrer: Christian Kratzer
Web: http://www.cksoft.de/
_______________________________________________
radiator mailing list
radiator@lists.open.com.au
http://lists.open.com.au/mailman/listinfo/radiator
