TLS / SSL negotiation fails when behind Cisco IP phone
Hi!
We are using EAP/TLS for wired authentication on our networks, in one of our
sites the SSL negotiation fails when the client is connected behind a Cisco
7962 IP phone. We have this same setup working on other sites.
The phone model varies between the sites, but I cannot find any information
about incompatibilities for the particular phone model saying it should be the
phone that is causing the problem.
I figured that the problem was caused by fragmentation but after adjusting the
fragment_size parameter in eap.conf, according to the comments..;
# This can never exceed the size of a RADIUS
# packet (4096 bytes), and is preferably half
# that, to accomodate other attributes in
# RADIUS packet. On most APs the MAX packet
# length is configured between 1500 - 1600
# In these cases, fragment size should be
# 1024 or less.
..without any result, i am not sure anymore.
When I connect the client directly to a switch port, without the IP phone
in-between, everything works perfect.
Here comes the relevant part of RADIUS debug output, first session - Without IP
phone, directly connected to the switch [ client - switch ];
--
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] eaptls_verify returned 7
[tls] Done initial handshake
[tls] TLS 1.0 Handshake [length 0b2e], Certificate
[tls] chain-depth=2,
[tls] error=0
[tls] -- User-Name = host/US-LAPJAMIESON.us..yyy
[tls] -- BUF-Name = Xxxx Root CA
[tls] -- subject = /C=SE/O=Xxxx Communications AB/OU=IT-group/CN=Xxxx Root CA
[tls] -- issuer = /C=SE/O=Xxxx Communications AB/OU=IT-group/CN=Xxxx Root CA
[tls] -- verify return:1
[tls] chain-depth=1,
[tls] error=0
[tls] -- User-Name = host/US-LAPJAMIESON.us..yyy
[tls] -- BUF-Name = Xxxx Sub CA
[tls] -- subject = /DC=com/DC=/CN=Xxxx Sub CA
[tls] -- issuer = /C=SE/O=Xxxx Communications AB/OU=IT-group/CN=Xxxx Root CA
[tls] -- verify return:1
[tls] chain-depth=0,
[tls] error=0
[tls] -- User-Name = host/US-LAPJAMIESON.us..yyy
[tls] -- BUF-Name = US-LAPJAMIESON.us..yyy
[tls] -- subject = /CN=US-LAPJAMIESON.us..yyy
[tls] -- issuer = /DC=com/DC=/CN=Xxxx Sub CA
[tls] -- verify return:1
[tls] TLS_accept: SSLv3 read client certificate A
[tls] TLS 1.0 Handshake [length 0086], ClientKeyExchange
[tls] TLS_accept: SSLv3 read client key exchange A
[tls] TLS 1.0 Handshake [length 0106], CertificateVerify
[tls] TLS_accept: SSLv3 read certificate verify A
[tls] TLS 1.0 ChangeCipherSpec [length 0001]
[tls] TLS 1.0 Handshake [length 0010], Finished
[tls] TLS_accept: SSLv3 read finished A
[tls] TLS 1.0 ChangeCipherSpec [length 0001]
[tls] TLS_accept: SSLv3 write change cipher spec A
[tls] TLS 1.0 Handshake [length 0010], Finished
[tls] TLS_accept: SSLv3 write finished A
[tls] TLS_accept: SSLv3 flush data
[tls] (other): SSL negotiation finished successfully
SSL Connection Established
--
--
Second part - With IP phone in-between [ client - ipphone - switch ];
--
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] eaptls_verify returned 7
[tls] Done initial handshake
[tls] TLS 1.0 Handshake [length 0b2e], Certificate
[tls] chain-depth=2,
[tls] error=0
[tls] -- User-Name = host/US-LAPJAMIESON.us..yyy
[tls] -- BUF-Name = Xxxx Root CA
[tls] -- subject = /C=SE/O=Xxxx Communications AB/OU=IT-group/CN=Xxxx Root CA
[tls] -- issuer = /C=SE/O=Xxxx Communications AB/OU=IT-group/CN=Xxxx Root CA
[tls] -- verify return:1
[tls] chain-depth=1,
[tls] error=0
[tls] -- User-Name = host/US-LAPJAMIESON.us..yyy
[tls] -- BUF-Name = Xxxx Sub CA
[tls] -- subject = /DC=com/DC=/CN=Xxxx Sub CA
[tls] -- issuer = /C=SE/O=Xxxx Communications AB/OU=IT-group/CN=Xxxx Root CA
[tls] -- verify return:1 -- verify error:num=7:certificate signature failure
[tls] TLS 1.0 Alert [length 0002], fatal decrypt_error
TLS Alert write:fatal:decrypt error
TLS_accept: error in SSLv3 read client certificate B
rlm_eap: SSL error error:0407006A:rsa
routines:RSA_padding_check_PKCS1_type_1:block type is not 01
SSL: SSL_read failed inside of TLS (-1), TLS session fails.
TLS receive handshake failed during operation
[tls] eaptls_process returned 4
RE: TLS / SSL negotiation fails when behind Cisco IP phone
I have been looking at possible changes to make on the phone and call manager,
but cannot find anything that would relate to the behavior we have. Is there a
way to change MTU value on the phones, I can't find it.
We have the 7945 model on another site as well and there everything works, I
have tried with a 7942 here as well and it does not work. I am quite sure that
the problem is related to the internal switch in the phone, but since the EAP
package gets through to the authenticating switch there should be a way to get
it to work. I don't have any other phone models here to test with, and I can't
find any information about hardware/switch differences in the 7962 and the 7954
phones.
Can anyone tell from the below sessions if the SSL negotiation fails because of
fragmentation?
I just found this article;
https://supportforums.cisco.com/thread/163050
Seems like it might be a firmware issue, I will upgrade/downgrade and let you
know the outcome.
/Dan
-Original Message-
From: freeradius-users-
bounces+dan.lundstrom=axis@lists.freeradius.org [mailto:freeradius-
users-bounces+dan.lundstrom=axis@lists.freeradius.org] On Behalf Of
Danner, Mearl
Sent: den 9 september 2012 16:37
To: FreeRadius users mailing list
Subject: RE: TLS / SSL negotiation fails when behind Cisco IP phone
There is a switch in the Cisco phone. All my experience is with a 7945.
There are some ethernet settings in the phone settings - under device
configuration. They can be controlled locally and some are controlled in Cisco
Call Manager.
Might look there as a start.
-Original Message-
From: freeradius-users-
bounces+jmdanner=samford@lists.freeradius.org [mailto:freeradius-
users-bounces+jmdanner=samford@lists.freeradius.org] On Behalf Of
Dan Lundström
Sent: Sunday, September 09, 2012 9:02 AM
To: freeradius-users@lists.freeradius.org
Subject: TLS / SSL negotiation fails when behind Cisco IP phone
Hi!
We are using EAP/TLS for wired authentication on our networks, in one of
our sites the SSL negotiation fails when the client is connected behind a
Cisco
7962 IP phone. We have this same setup working on other sites.
The phone model varies between the sites, but I cannot find any information
about incompatibilities for the particular phone model saying it should be the
phone that is causing the problem.
I figured that the problem was caused by fragmentation but after adjusting
the fragment_size parameter in eap.conf, according to the comments..;
# This can never exceed the size of a RADIUS
# packet (4096 bytes), and is preferably half
# that, to accomodate other attributes in
# RADIUS packet. On most APs the MAX packet
# length is configured between 1500 - 1600
# In these cases, fragment size should be
# 1024 or less.
..without any result, i am not sure anymore.
When I connect the client directly to a switch port, without the IP phone in-
between, everything works perfect.
Here comes the relevant part of RADIUS debug output, first session -
Without IP phone, directly connected to the switch [ client - switch ];
--
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list [eap] EAP/tls [eap] processing
type tls [tls] Authenticate [tls] processing EAP-TLS [tls] eaptls_verify
returned
7 [tls] Done initial handshake [tls] TLS 1.0 Handshake [length 0b2e],
Certificate [tls] chain-depth=2, [tls] error=0 [tls] -- User-Name = host/US-
LAPJAMIESON.us..yyy [tls] -- BUF-Name = Xxxx Root CA [tls] --
subject = /C=SE/O=Xxxx Communications AB/OU=IT-group/CN=Xxxx Root
CA [tls] -- issuer = /C=SE/O=Xxxx Communications AB/OU=IT-
group/CN=Xxxx Root CA [tls] -- verify return:1 [tls] chain-depth=1, [tls]
error=0 [tls] -- User-Name = host/US-LAPJAMIESON.us..yyy [tls] --
BUF-Name = Xxxx Sub CA [tls] -- subject = /DC=com/DC=/CN=Xxxx Sub
CA [tls] -- issuer = /C=SE/O=Xxxx Communications AB/OU=IT-
group/CN=Xxxx Root CA [tls] -- verify return:1 [tls] chain-depth=0, [tls]
error=0 [tls] -- User-Name = host/US-LAPJAMIESON.us..yyy [tls] --
BUF-Name = US-LAPJAMIESON.us..yyy [tls] -- subject = /CN=US-
LAPJAMIESON.us..yyy [tls] -- issuer = /DC=com/DC=/CN=Xxxx Sub
CA [tls] -- verify return:1
[tls] TLS_accept: SSLv3 read client certificate A
[tls] TLS 1.0 Handshake [length 0086], ClientKeyExchange
[tls] TLS_accept: SSLv3 read client key exchange A
[tls] TLS 1.0 Handshake [length 0106], CertificateVerify
[tls] TLS_accept: SSLv3 read certificate verify A
[tls] TLS 1.0 ChangeCipherSpec [length 0001] [tls] TLS 1.0 Handshake
[length 0010], Finished
[tls
RE: TLS / SSL negotiation fails when behind Cisco IP phone
The problem was firmware, I works as expected with both older and newer
versions. So basically don't use firmware version 8.5(2).
Also might be good to know that all of the following phones use the same code
base;
IP Phones - 7906, 7911, 7931, 7941, 7942, 7945, 7961, 7962, 7965, 7970, 7971
7975
//Dan
-Original Message-
From: freeradius-users-
bounces+dan.lundstrom=axis@lists.freeradius.org [mailto:freeradius-
users-bounces+dan.lundstrom=axis@lists.freeradius.org] On Behalf Of
Dan Lundström
Sent: den 9 september 2012 17:53
To: FreeRadius users mailing list
Subject: RE: TLS / SSL negotiation fails when behind Cisco IP phone
I have been looking at possible changes to make on the phone and call
manager, but cannot find anything that would relate to the behavior we have.
Is there a way to change MTU value on the phones, I can't find it.
We have the 7945 model on another site as well and there everything works,
I have tried with a 7942 here as well and it does not work. I am quite sure
that
the problem is related to the internal switch in the phone, but since the EAP
package gets through to the authenticating switch there should be a way to
get it to work. I don't have any other phone models here to test with, and I
can't find any information about hardware/switch differences in the 7962 and
the 7954 phones.
Can anyone tell from the below sessions if the SSL negotiation fails because
of fragmentation?
I just found this article;
https://supportforums.cisco.com/thread/163050
Seems like it might be a firmware issue, I will upgrade/downgrade and let
you know the outcome.
/Dan
-Original Message-
From: freeradius-users-
bounces+dan.lundstrom=axis@lists.freeradius.org
bounces+[mailto:freeradius-
users-bounces+dan.lundstrom=axis@lists.freeradius.org] On Behalf
users-bounces+Of
Danner, Mearl
Sent: den 9 september 2012 16:37
To: FreeRadius users mailing list
Subject: RE: TLS / SSL negotiation fails when behind Cisco IP phone
There is a switch in the Cisco phone. All my experience is with a 7945.
There are some ethernet settings in the phone settings - under device
configuration. They can be controlled locally and some are controlled
in Cisco Call Manager.
Might look there as a start.
-Original Message-
From: freeradius-users-
bounces+jmdanner=samford@lists.freeradius.org [mailto:freeradius-
users-bounces+jmdanner=samford@lists.freeradius.org] On Behalf Of
Dan Lundström
Sent: Sunday, September 09, 2012 9:02 AM
To: freeradius-users@lists.freeradius.org
Subject: TLS / SSL negotiation fails when behind Cisco IP phone
Hi!
We are using EAP/TLS for wired authentication on our networks, in one
of our sites the SSL negotiation fails when the client is connected
behind a Cisco
7962 IP phone. We have this same setup working on other sites.
The phone model varies between the sites, but I cannot find any
information about incompatibilities for the particular phone model
saying it should be the phone that is causing the problem.
I figured that the problem was caused by fragmentation but after
adjusting the fragment_size parameter in eap.conf, according to the
comments..;
# This can never exceed the size of a RADIUS
# packet (4096 bytes), and is preferably half
# that, to accomodate other attributes in
# RADIUS packet. On most APs the MAX packet
# length is configured between 1500 - 1600
# In these cases, fragment size should be
# 1024 or less.
..without any result, i am not sure anymore.
When I connect the client directly to a switch port, without the IP
phone in- between, everything works perfect.
Here comes the relevant part of RADIUS debug output, first session -
Without IP phone, directly connected to the switch [ client - switch
];
--
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list [eap] EAP/tls [eap]
processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls]
eaptls_verify returned
7 [tls] Done initial handshake [tls] TLS 1.0 Handshake [length
0b2e], Certificate [tls] chain-depth=2, [tls] error=0 [tls] --
User-Name = host/US- LAPJAMIESON.us..yyy [tls] -- BUF-Name =
Xxxx
Root CA [tls] -- subject = /C=SE/O=Xxxx Communications
AB/OU=IT-group/CN=Xxxx Root CA [tls] -- issuer = /C=SE/O=Xxxx
Communications AB/OU=IT- group/CN=Xxxx Root CA [tls] -- verify
return:1 [tls] chain-depth=1, [tls]
error=0 [tls] -- User-Name = host/US-LAPJAMIESON.us..yyy [tls]
-- BUF-Name = Xxxx Sub CA [tls] -- subject =
/DC=com/DC=/CN=Xxxx
Sub
