Re: [RADIATOR] WLAN EAP-TLS auth issue

Thu, 04 Nov 2010 12:46:25 -0700 

That solved it.  Why is this not the default ?

Thank you
Markus

----- Original Message ----- 
From: "Sami Keski-Kasari" <[email protected]>
To: "Markus Moeller" <[email protected]>; <[email protected]>
Sent: Wednesday, November 03, 2010 9:07 PM
Subject: Re: [RADIATOR] WLAN EAP-TLS auth issue


> Have you tried EAPTLS_SessionResumption 0?
>
> -- 
> Sami
>
> "Markus Moeller" <[email protected]> wrote:
>
>>BTW I use version 4.7.
>>  ----- Original Message ----- 
>>  From: Markus Moeller
>>  To: [email protected]
>>  Sent: Wednesday, November 03, 2010 8:04 PM
>>  Subject: WLAN EAP-TLS auth issue
>>
>>
>>  Hi
>>
>>I am testing EAP-TLS auth with Radiator and came across the following.
>>I have two SSIDs SSID-1 and SSID-2 and want to restrict access to
>>SSID-1, SSID-2 based on the certificate issue. e.g. on SSID-1 I allow
>>certs from issue COMP-A and on SSID2 from COMP-B. What I notice is that
>>once a user lets say authenticates to SSID-1 successfully and the
>>disconnects and connects to SSID-2 the EAPTLS Hook is not called (see
>>log example).  I also see the the server is not sending the CA to the
>>client. Can it be that it is not seen as a new session ?
>>
>>    I have the following configuration.
>>
>>
>>  # EAPTLS authentication
>>  <AuthBy FILE>
>>    Identifier EapTLS
>># the file is used to check usernames (assuming EAP-TLS certificate
>>checks pass): just contains DEFAULT
>>    Filename %D/wlan_users
>>    EAPType TLS
>>    # WLAN Additional Certificate Check
>>    EAPTLS_CertificateVerifyHook file:"%D/cert_check.pl"
>>    # WLAN root CAs
>>    EAPTLS_CAFile %D/certs/CAa.pem
>>
>>    EAPTLS_CertificateType PEM
>>    # Radiator Cert
>>    EAPTLS_CertificateFile %D/certs/server_cert.pem
>>    # Radiator private key
>>    EAPTLS_PrivateKeyFile %D/certs/server_cert.key
>>
>>    EAPTLS_MaxFragmentSize 1000
>>
>>    EAPTLS_CRLCheck
>>    EAPTLS_CRLFile %D/certs/crls/Root_CA.pem
>>
>>    AutoMPPEKeys
>>  </AuthBy>
>>
>>
>>
>>  sub {
>>
>>    use Crypt::OpenSSL::X509;
>>    &main::log($main::LOG_DEBUG,"cert_check: enter hook");
>>
>>    # Pointer to request structure
>>    my $p0 = $_[0];    # $matchdn
>>    my $p1 = $_[1];    # $x509_store_ctx
>>    my $p2 = $_[2];    # $cert
>>    my $p3 = $_[3];    # $subject_name
>>    my $p4 = $_[4];    # $subject
>>    my $p = $_[5];     # $p Radius Request
>>
>>my $issuer_name =
>>&Net::SSLeay::X509_NAME_oneline(&Net::SSLeay::X509_get_issuer_name($p2));
>>
>>my $x509 =
>>Crypt::OpenSSL::X509->new_from_string(&Net::SSLeay::PEM_get_string_X509($p2));
>>    my $extensions = &Crypt::OpenSSL::X509::extensions_by_name($x509);
>>
>>my @extendedKeyUsage =
>>&Crypt::OpenSSL::X509::Extension::extKeyUsage($extensions->{extendedKeyUsage});
>>
>> my $eku_req_client_auth = grep { /clientAuth/ } ( @extendedKeyUsage );
>>my $eku_req_client_any = grep { /anyExtendedKeyUsage/ } (
>>@extendedKeyUsage );
>>
>>
>>    &main::log($main::LOG_DEBUG,"cert_check: matchDN: $p0");
>>    &main::log($main::LOG_DEBUG,"cert_check: issuer: $issuer_name");
>>&main::log($main::LOG_DEBUG,"cert_check: Extended Key Usage strings
>>found in certificate: " . (join " & ", @extendedKeyUsage) );
>>
>>    # User certificate CA strings:
>>    user_CA = 'CN=User CA, OU=Test, C=UK';
>>
>># bail out if cannot determine the extendedKeyUsage for this
>>certificate:
>>    if ( $eku_req_client_auth == 0 && $eku_req_client_any == 0 ) {
>>&main::log($main::LOG_ERR,"cert_check: certificate presented does not
>>have required values present in Extended Key Usage field.");
>>        return undef;
>>    }
>>
>>    # test each issuer string (which is valid for this ssid) against
>>    # the issuer string in the certificate in the request:
>>    my $match = 0;
>>
>>    if ($issuer_name =~ /^$user_CA$/) {
>>        $match++;
>>&main::log($main::LOG_DEBUG,"cert_check: Successful match for
>>issuer_name [$issuer_name] with issuer_string [$user_CA]");
>>    }
>>
>>
>>    if ( $match == 0 ) {
>>&main::log($main::LOG_ERR,"cert_check: invalid certificate issuer
>>[$issuer_name] in request.");
>>      return undef;
>>    }
>>
>>  }
>>
>>
>>  Wed Nov  3 09:32:20 2010: DEBUG: Packet dump:
>>  *** Received from 191.169.1.21 port 32768 ....
>>  Code:       Access-Request
>>  Identifier: 153
>>  Authentic:  +R<20><209><177><167>5/<246>y%<135><133><134><191><173>
>>  Attributes:
>>          User-Name = "[email protected]"
>>          Calling-Station-Id = "00-22-fa-aa-bb-cc"
>>          Called-Station-Id = "00-1a-e3-ab-cd-ed:SSID-1"
>>          NAS-Port = 29
>>          NAS-IP-Address = 191.169.1.21
>>          NAS-Identifier = "Controller1"
>>          Airespace-WLAN-Id = 7
>>          Service-Type = Framed-User
>>          Framed-MTU = 1300
>>          NAS-Port-Type = Wireless-IEEE-802-11
>>          Tunnel-Type = 0:VLAN
>>          Tunnel-Medium-Type = 0:802
>>          Tunnel-Private-Group-ID = 662
>>          EAP-Message = <2><3><0><18><1>[email protected]
>>Message-Authenticator =
>>L><159><3>4<221><139>8<214>g<237><153><22>v<200><197>
>>
>>Wed Nov  3 09:32:20 2010: DEBUG: Handling request with Handler
>>'DeviceClass="WLAN"'
>>Wed Nov  3 09:32:20 2010: DEBUG:  Deleting session for [email protected],
>>191.169.1.21, 29
>>Wed Nov  3 09:32:20 2010: DEBUG: Handling with Radius::AuthFILE: EapTLS
>>  Wed Nov  3 09:32:20 2010: DEBUG: Handling with EAP: code 2, 3, 18, 1
>>  Wed Nov  3 09:32:20 2010: DEBUG: Response type 1
>>  Wed Nov  3 09:32:20 2010: DEBUG: EAP result: 3, EAP TLS Challenge
>>Wed Nov  3 09:32:20 2010: DEBUG: AuthBy FILE result: CHALLENGE, EAP TLS
>>Challenge
>>Wed Nov  3 09:32:20 2010: DEBUG: Access challenged for [email protected]:
>>EAP TLS Challenge
>>  Wed Nov  3 09:32:20 2010: DEBUG: Packet dump:
>>  *** Sending to 191.169.1.21 port 32768 ....
>>  Code:       Access-Challenge
>>  Identifier: 153
>>  Authentic:  <213>o<31><153>j1<190><209>Yu&<238><166><210>_<16>
>>  Attributes:
>>          EAP-Message = <1><4><0><6><13>
>>Message-Authenticator =
>><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>
>>  Wed Nov  3 09:32:21 2010: DEBUG: Packet dump:
>>  *** Received from 191.169.1.21 port 32768 ....
>>  Code:       Access-Request
>>  Identifier: 154
>>  Authentic:  >k<16>#p<154><1><245><194>d<165><131><189><143><237><142>
>>  Attributes:
>>          User-Name = "[email protected]"
>>          Calling-Station-Id = "00-22-fa-aa-bb-cc"
>>          Called-Station-Id = "00-1a-e3-ab-cd-ed:SSID-1"
>>          NAS-Port = 29
>>          NAS-IP-Address = 191.169.1.21
>>          NAS-Identifier = "Controller1"
>>          Airespace-WLAN-Id = 7
>>          Service-Type = Framed-User
>>          Framed-MTU = 1300
>>          NAS-Port-Type = Wireless-IEEE-802-11
>>          Tunnel-Type = 0:VLAN
>>          Tunnel-Medium-Type = 0:802
>>          Tunnel-Private-Group-ID = 662
>>EAP-Message =
>><2><4><0>W<13><128><0><0><0>M<22><3><1><0>H<1><0><0>D<3><1>L<209>,%<239><146><242><12><235><234>.'<3>h<6><31><178>Y3<155><194><158><177>A<142><239><188>T}<202>J&<0><0><22><0><4><0><5><0><10><0><9><0>d<0>b<0><3><0><6><0><19><0><18><0>c<1><0><0><5><255><1><0><1><0>
>>Message-Authenticator =
>>Pg<184><167>vMr<0><24>D<189><210><248>a<241><191>
>>
>>Wed Nov  3 09:32:21 2010: DEBUG: Handling request with Handler
>>'DeviceClass="WLAN"'
>>Wed Nov  3 09:32:21 2010: DEBUG:  Deleting session for [email protected],
>>191.169.1.21, 29
>>Wed Nov  3 09:32:21 2010: DEBUG: Handling with Radius::AuthFILE: EapTLS
>>  Wed Nov  3 09:32:21 2010: DEBUG: Handling with EAP: code 2, 4, 87, 13
>>  Wed Nov  3 09:32:21 2010: DEBUG: Response type 13
>>  Wed Nov  3 09:32:21 2010: DEBUG: EAP result: 3, EAP TLS Challenge
>>Wed Nov  3 09:32:21 2010: DEBUG: AuthBy FILE result: CHALLENGE, EAP TLS
>>Challenge
>>Wed Nov  3 09:32:21 2010: DEBUG: Access challenged for [email protected]:
>>EAP TLS Challenge
>>  Wed Nov  3 09:32:21 2010: DEBUG: Packet dump:
>>  *** Sending to 191.169.1.21 port 32768 ....
>>  Code:       Access-Challenge
>>  Identifier: 154
>>  Authentic:  y<241><254>,<218>r_<188>Cx<13><222>|<229>;S
>>  Attributes:
>>         EAP-Message = <1><5><3><242><13><192><0><0><19><9><22><3><....
>>   EAP-Message = Z<23><13>111014083918Z0i1<19>0<17><6><10><9><146>.....
>>     EAP-Message = <136><11><151><141>_<172>gL<222>)<25><142><186>.....
>>          EAP-Message = ........
>>Message-Authenticator =
>><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>
>>  Wed Nov  3 09:32:22 2010: DEBUG: Packet dump:
>>  *** Received from 191.169.1.21 port 32768 ....
>>  Code:       Access-Request
>>  Identifier: 155
>> Authentic:  <158><174><179>V<16><12><128><213><222>6M<173><201>g?<134>
>>  Attributes:
>>          User-Name = "[email protected]"
>>          Calling-Station-Id = "00-22-fa-aa-bb-cc"
>>          Called-Station-Id = "00-1a-e3-ab-cd-ed:SSID-1"
>>          NAS-Port = 29
>>          NAS-IP-Address = 191.169.1.21
>>          NAS-Identifier = "Controller1"
>>          Airespace-WLAN-Id = 7
>>          Service-Type = Framed-User
>>          Framed-MTU = 1300
>>          NAS-Port-Type = Wireless-IEEE-802-11
>>          Tunnel-Type = 0:VLAN
>>          Tunnel-Medium-Type = 0:802
>>          Tunnel-Private-Group-ID = 662
>>          EAP-Message = <2><5><0><6><13><0>
>>          Message-Authenticator = <178>[ ,i<24>f<24><<17><176>Dx]g<164>
>>
>>Wed Nov  3 09:32:22 2010: DEBUG: Handling request with Handler
>>'DeviceClass="WLAN"'
>>Wed Nov  3 09:32:22 2010: DEBUG:  Deleting session for [email protected],
>>191.169.1.21, 29
>>Wed Nov  3 09:32:22 2010: DEBUG: Handling with Radius::AuthFILE: EapTLS
>>  Wed Nov  3 09:32:22 2010: DEBUG: Handling with EAP: code 2, 5, 6, 13
>>  Wed Nov  3 09:32:22 2010: DEBUG: Response type 13
>>
> -- 
> Sami
>
> 


_______________________________________________
radiator mailing list
[email protected]
http://www.open.com.au/mailman/listinfo/radiator

Reply via email to