EAP-TLS authentication allows me to authenticate with invalid certificate.
Terry Simons
terry.simons at gmail.com
Wed Oct 13 04:55:02 CEST 2010
Hi,
I'm running into an issue where FreeRADIUS allows an invalid certificate (one not signed by my configured CA) to successfully authenticate to EAP-TLS.
There's a message in the log that clearly indicates that the CA wasn't found (--> verify error:num=20:unable to get local issuer certificate) , yet my authentication succeeds.
I'm using FreeRADIUS version 2.1.10 with a largely default configuration (home-grown certificates).
I want this authentication to fail because the certificate that the client is using was not signed by the CA that I have configured with the CA_file directive, therefore it should be considered an invalid EAP-TLS attempt.
Has anyone seen this before?
I couldn't find any related messages in the FreeRADIUS archive.
Thanks,
Here's the log:
rad_recv: Access-Request packet from host 192.168.19.12 port 1035, id=39, length=189
User-Name = "AutomationUser"
NAS-IP-Address = 192.168.19.12
NAS-Identifier = "honeybutter"
NAS-Port = 0
Called-Station-Id = "00-19-77-1F-8A-D1:HiveAP120-WPA2"
Calling-Station-Id = "00-25-00-43-5E-13"
Framed-MTU = 1500
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x02000013014175746f6d6174696f6e55736572
Message-Authenticator = 0xebf0b398f32dc38984552b06634ef90e
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "AutomationUser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 0 length 19
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[opendirectory] The host 192.168.19.12 does not have an access group.
++[opendirectory] returns ok
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Requiring client certificate
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 39 to 192.168.19.12 port 1035
EAP-Message = 0x010100060d20
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xd2fcae5dd2fda306cc163ff247674563
Finished request 37.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.19.12 port 1035, id=40, length=352
User-Name = "AutomationUser"
NAS-IP-Address = 192.168.19.12
NAS-Identifier = "honeybutter"
NAS-Port = 0
Called-Station-Id = "00-19-77-1F-8A-D1:HiveAP120-WPA2"
Calling-Station-Id = "00-25-00-43-5E-13"
Framed-MTU = 1500
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020100a40d800000009a16030100950100009103014cb5184f29200ee95888008e509e4cf7d61e39b9688acd0a179f3f12fd982b03000056c00ac009c007c008c013c014c011c012c004c005c002c003c00ec00fc00cc00d002f000500040035000a000900030008000600320033003800390016001500140013001200110034003a0018001b001a00170019000101000012000a00080006001700180019000b00020100
State = 0xd2fcae5dd2fda306cc163ff247674563
Message-Authenticator = 0xbaf4c3763aa24c9f8ecb1bc1695bfbe4
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "AutomationUser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 1 length 164
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[opendirectory] The host 192.168.19.12 does not have an access group.
++[opendirectory] returns ok
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
TLS Length 154
[tls] Length Included
[tls] eaptls_verify returned 11
[tls] (other): before/accept initialization
[tls] TLS_accept: before/accept initialization
[tls] <<< TLS 1.0 Handshake [length 0095], ClientHello
[tls] TLS_accept: SSLv3 read client hello A
[tls] >>> TLS 1.0 Handshake [length 002a], ServerHello
[tls] TLS_accept: SSLv3 write server hello A
[tls] >>> TLS 1.0 Handshake [length 069f], Certificate
[tls] TLS_accept: SSLv3 write certificate A
[tls] >>> TLS 1.0 Handshake [length 00af], CertificateRequest
[tls] TLS_accept: SSLv3 write certificate request A
[tls] TLS_accept: SSLv3 flush data
[tls] TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[tls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 40 to 192.168.19.12 port 1035
EAP-Message = 0x010204000dc000000787160301002a0200002603014cb5183db33a52670f42ebf1dd1d323435c9d1727572176f37deae32bcdf256400002f00160301069f0b00069b0006980002cf308202cb30820234a003020102020101300d06092a864886f70d010105050030819c310b3009060355040613025553311330110603550408130a43616c69666f726e69613112301006035504071309437570657274696e6f31143012060355040a130b4170706c652c20496e632e3110300e060355040b1307436f6d6d735141311530130603550403130c4175746f6d6174696f6e43413125302306092a864886f70d010901161674657272792e73696d6f6e7340
EAP-Message = 0x6170706c652e636f6d301e170d3130313031303033313233365a170d3230313030393033313233365a3081a0310b3009060355040613025553311330110603550408130a43616c69666f726e69613112301006035504071309437570657274696e6f31143012060355040a130b4170706c652c20496e632e3110300e060355040b1307436f6d6d73514131193017060355040313104175746f6d6174696f6e5365727665723125302306092a864886f70d010901161674657272792e73696d6f6e73406170706c652e636f6d30819f300d06092a864886f70d010101050003818d00308189028181009c863c44ddc7f8e2d9153ce65d246a4576e7cad0
EAP-Message = 0x693a37f44cf8e71fbd4010fb0287128c6e4a5eae040a9d806ba510d76026c536a6e44a1341630f76a472f3a324aff010ccf26e168a523e9dac5b131512b6534209c4ddf0059e456767fef96ab15996e3e9e6d8c06aed16032ed09ec81a79e5cf2fcad21d43f93a382ef64afd0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010105050003818100b3ab384f900eb95db0b5f932639f532d7993d262e5d4f95b0caf2f6778dc3f7ead0361033974828f3a564aa7642760c93c5f3293c69f4f13ed309bee53a0dcee4a07d59994d34a7e51ddef376f87c8ab8614f9e14dd233d1c7f7cb3af4dc571b
EAP-Message = 0x2c456a6e2a857a132a9d26d2acc4be820b7c6265a0b541f3f31067a8ce921b7a0003c3308203bf30820328a003020102020900aee0069109e88a1e300d06092a864886f70d010105050030819c310b3009060355040613025553311330110603550408130a43616c69666f726e69613112301006035504071309437570657274696e6f31143012060355040a130b4170706c652c20496e632e3110300e060355040b1307436f6d6d735141311530130603550403130c4175746f6d6174696f6e43413125302306092a864886f70d010901161674657272792e73696d6f6e73406170706c652e636f6d301e170d3130313031303033303831335a170d32
EAP-Message = 0x30313030393033303831335a
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xd2fcae5dd3fea306cc163ff247674563
Finished request 38.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.19.12 port 1035, id=41, length=194
User-Name = "AutomationUser"
NAS-IP-Address = 192.168.19.12
NAS-Identifier = "honeybutter"
NAS-Port = 0
Called-Station-Id = "00-19-77-1F-8A-D1:HiveAP120-WPA2"
Calling-Station-Id = "00-25-00-43-5E-13"
Framed-MTU = 1500
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020200060d00
State = 0xd2fcae5dd3fea306cc163ff247674563
Message-Authenticator = 0xa475a2642ff359874a9fc61a5522e311
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "AutomationUser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[opendirectory] The host 192.168.19.12 does not have an access group.
++[opendirectory] returns ok
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] Received TLS ACK
[tls] ACK handshake fragment handler
[tls] eaptls_verify returned 1
[tls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 41 to 192.168.19.12 port 1035
EAP-Message = 0x0103039b0d800000078730819c310b3009060355040613025553311330110603550408130a43616c69666f726e69613112301006035504071309437570657274696e6f31143012060355040a130b4170706c652c20496e632e3110300e060355040b1307436f6d6d735141311530130603550403130c4175746f6d6174696f6e43413125302306092a864886f70d010901161674657272792e73696d6f6e73406170706c652e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100eba6920d4e7026b5b56be1ffe4a92657531f57f5ec3151a3b08536f2c15ac37e6ca83945576dc7fa534379f00849d14f3ccb630c0cceff
EAP-Message = 0x7c032eeedceda81ede4979d9c11aa32b94e13d2c55911c8910d74fe834a062c563b76f66377ba558adf01c29ad786385dcf067324f087f4e62f9bce9f1a15c0238d7068e6bff2436910203010001a382010530820101301d0603551d0e041604143d14bac4f677ed18b87223f0ef167fa28fb245a03081d10603551d230481c93081c680143d14bac4f677ed18b87223f0ef167fa28fb245a0a181a2a4819f30819c310b3009060355040613025553311330110603550408130a43616c69666f726e69613112301006035504071309437570657274696e6f31143012060355040a130b4170706c652c20496e632e3110300e060355040b1307436f6d6d
EAP-Message = 0x735141311530130603550403130c4175746f6d6174696f6e43413125302306092a864886f70d010901161674657272792e73696d6f6e73406170706c652e636f6d820900aee0069109e88a1e300c0603551d13040530030101ff300d06092a864886f70d010105050003818100e533646f2f3626e199b1617ea96c40568f8c210f770373587881beb74e8c5b439c6b43e075567d0fba0bcfdcf62e70bdca8240ca0156ea160648f09650898f1e4569aaccd3108a95d94a07f59f60b127626399f132d34825e5100c9986d7754d2a45b743d8b75037f032cb30e071a1128486e433f69a6039f6c06926a88e777716030100af0d0000a70301024000a100
EAP-Message = 0x9f30819c310b3009060355040613025553311330110603550408130a43616c69666f726e69613112301006035504071309437570657274696e6f31143012060355040a130b4170706c652c20496e632e3110300e060355040b1307436f6d6d735141311530130603550403130c4175746f6d6174696f6e43413125302306092a864886f70d010901161674657272792e73696d6f6e73406170706c652e636f6d0e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xd2fcae5dd0ffa306cc163ff247674563
Finished request 39.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 192.168.19.12 port 1035, id=42, length=1274
User-Name = "AutomationUser"
NAS-IP-Address = 192.168.19.12
NAS-Identifier = "honeybutter"
NAS-Port = 0
Called-Station-Id = "00-19-77-1F-8A-D1:HiveAP120-WPA2"
Calling-Station-Id = "00-25-00-43-5E-13"
Framed-MTU = 1500
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020304360d800000042c16030102d60b0002d20002cf0002cc308202c830820231a003020102020102300d06092a864886f70d010105050030819b310b3009060355040613025553311330110603550408130a43616c69666f726e69613112301006035504071309437570657274696e6f31143012060355040a130b4170706c652c20496e632e3110300e060355040b1307436f6d6d735141311430120603550403130b526f7474656e4170706c653125302306092a864886f70d010901161674657272792e73696d6f6e73406170706c652e636f6d301e170d3130313031323138333633355a170d3230313031313138333633355a30819e310b3009
EAP-Message = 0x060355040613025553311330110603550408130a43616c69666f726e69613112301006035504071309437570657274696e6f31143012060355040a130b4170706c652c20496e632e3110300e060355040b1307436f6d6d735141311730150603550403130e4175746f6d6174696f6e557365723125302306092a864886f70d010901161674657272792e73696d6f6e73406170706c652e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100db2c1fc69d20a42a3101c93df6d6db4fab40fb77fdefd5334ba3ccfca3032417aefb71deb9ef75f51182010940a03c618ca1a879af099d1470fc8d8fcfd3d4d9cc3d1672bb7f
EAP-Message = 0xed5c015ef660cbdb2f75eae83c658683164773db3ba34782fbba6ead164839b6b555c94fc355d24228545474a2d7a4ae732982ebffdaf3bb20fd0203010001a317301530130603551d25040c300a06082b06010505070302300d06092a864886f70d010105050003818100505a1fcf9aa9fc38d3cc0fb6f6e2edfe0ab50af4aa358726dfd784e69461e3f0c539360a94995cce8bf85bf4f1cc53bd8eda704b135a698e89d157d042d602d1f78c2bbb4a3f2cc2fb9113b9d03f71f731c71cd9360ef4f762403e7c14fcd112401c7217321dbc1d2fb8b2168c0651c2eaade2f1292f4a7c5f8904a2c1844cfd16030100861000008200801ef0cf7c185512
EAP-Message = 0x86b4f42b2374ad3345f22e10c90614b872fa5688df1621c9acadc08593d71659adf9cce1550e199d0e0da86d99e25bab70888873d38f07f42e0c4a344fb5d3fc5788de9cacf4c182fb06fd176afd9a65d9297bea1e73acd3ffa6dfbc70e1014a2c7f6cf8f3d5342d96aaa32a1311b89e455586816c7b57564516030100860f0000820080a9de35c71327f318ebb962597c6f6503e073afe5aa279c1822463224fe189022c50ec10a915947ae451e3d39d798106d9ff5bfe7600ad6ce0da735ba4613898facdb2889ac642ed2efc1ca6e81b79594678e055fba42fddd1d16634b85b641587d349fe39e127080b9f8695a962c8ca0480f7b52cf6cbafa1e
EAP-Message = 0x5ff67080001aa11403010001011603010030a11644efce0b94b9179c2e9aa9eb472e0869267e0bf174beae262e5f4e4bd0583db05bd6bf51fba61ba940eca8e658b0
State = 0xd2fcae5dd0ffa306cc163ff247674563
Message-Authenticator = 0x2a124c92c4da145bbd47a068a71f4293
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "AutomationUser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 3 length 253
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[opendirectory] The host 192.168.19.12 does not have an access group.
++[opendirectory] returns ok
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
TLS Length 1068
[tls] Length Included
[tls] eaptls_verify returned 11
[tls] <<< TLS 1.0 Handshake [length 02d6], Certificate
--> verify error:num=20:unable to get local issuer certificate
[tls] TLS_accept: SSLv3 read client certificate A
[tls] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
[tls] TLS_accept: SSLv3 read client key exchange A
[tls] <<< TLS 1.0 Handshake [length 0086], CertificateVerify
[tls] TLS_accept: SSLv3 read certificate verify A
[tls] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[tls] <<< TLS 1.0 Handshake [length 0010], Finished
[tls] TLS_accept: SSLv3 read finished A
[tls] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[tls] TLS_accept: SSLv3 write change cipher spec A
[tls] >>> TLS 1.0 Handshake [length 0010], Finished
[tls] TLS_accept: SSLv3 write finished A
[tls] TLS_accept: SSLv3 flush data
[tls] (other): SSL negotiation finished successfully
SSL Connection Established
[tls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 42 to 192.168.19.12 port 1035
EAP-Message = 0x010400450d800000003b14030100010116030100308aeb9012d08c6b2e742f6f6defcbe397ce58cb4911aeeba0c6c2ac6d4e45b941898218a5e1bf55e35ed26ee1a29b3464
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xd2fcae5dd1f8a306cc163ff247674563
Finished request 40.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 192.168.19.12 port 1035, id=43, length=194
User-Name = "AutomationUser"
NAS-IP-Address = 192.168.19.12
NAS-Identifier = "honeybutter"
NAS-Port = 0
Called-Station-Id = "00-19-77-1F-8A-D1:HiveAP120-WPA2"
Calling-Station-Id = "00-25-00-43-5E-13"
Framed-MTU = 1500
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020400060d00
State = 0xd2fcae5dd1f8a306cc163ff247674563
Message-Authenticator = 0x34e48ce176b27309dbd3b53091ad3816
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "AutomationUser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 4 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[opendirectory] The host 192.168.19.12 does not have an access group.
++[opendirectory] returns ok
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] Received TLS ACK
[tls] ACK handshake is finished
[tls] eaptls_verify returned 3
[tls] eaptls_process returned 3
[tls] Adding user data to cached session
[eap] Freeing handler
++[eap] returns ok
# Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 43 to 192.168.19.12 port 1035
MS-MPPE-Recv-Key = 0x08d815790ebfb9a13cc81f79b0c756c8126e52f63338fd882c458eb019a48533
MS-MPPE-Send-Key = 0x1bc9637fd958191a0127c04a9b84812644caba495fcfc5ec3d3b02edc08fd72e
EAP-Message = 0x03040004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "AutomationUser"
Finished request 41.
Going to the next request
Waking up in 4.7 seconds.
rad_recv: Accounting-Request packet from host 192.168.19.12 port 1031, id=44, length=169
Acct-Session-Id = "4CB26D4B-0000007B"
Acct-Status-Type = Start
Acct-Authentic = RADIUS
User-Name = "AutomationUser"
NAS-IP-Address = 192.168.19.12
NAS-Identifier = "honeybutter"
NAS-Port = 0
Called-Station-Id = "00-19-77-1F-8A-D1:HiveAP120-WPA2"
Calling-Station-Id = "00-25-00-43-5E-13"
NAS-Port-Type = Wireless-802.11
Connect-Info = "11ng"
Vendor-26928-Attr-1 = 0x00000000
# Executing section preacct from file /usr/local/etc/raddb/sites-enabled/default
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] Hashing 'NAS-Port = 0,Client-IP-Address = 192.168.19.12,NAS-IP-Address = 192.168.19.12,Acct-Session-Id = "4CB26D4B-0000007B",User-Name = "AutomationUser"'
[acct_unique] Acct-Unique-Session-ID = "246d28e49e4f15d2".
++[acct_unique] returns ok
[suffix] No '@' in User-Name = "AutomationUser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[files] returns noop
# Executing section accounting from file /usr/local/etc/raddb/sites-enabled/default
+- entering group accounting {...}
[detail] expand: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d -> /usr/local/var/log/radius/radacct/192.168.19.12/detail-20101012
[detail] /usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/192.168.19.12/detail-20101012
[detail] expand: %t -> Tue Oct 12 19:23:57 2010
++[detail] returns ok
++[unix] returns ok
[radutmp] expand: /usr/local/var/log/radius/radutmp -> /usr/local/var/log/radius/radutmp
[radutmp] expand: %{User-Name} -> AutomationUser
++[radutmp] returns ok
++[exec] returns noop
[attr_filter.accounting_response] expand: %{User-Name} -> AutomationUser
attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] returns updated
Sending Accounting-Response of id 44 to 192.168.19.12 port 1031
Finished request 42.
Cleaning up request 42 ID 44 with timestamp +371
Going to the next request
Waking up in 4.7 seconds.
More information about the Freeradius-Users
mailing list