eap-tls with a cisco phone
Christian Bösch
boesch at fhv.at
Mon Jul 20 10:45:58 CEST 2015
Hi,
I’m trying to authenticate a Cisco IP Phone with 802.1X EAP-TLS.
I added the Cisco root certs to the CA file and the CN name from the
phone’s cert to the users file.
But it doesn’t work. Maybe anybody can give me a hint?
Thanks,
Chris
— eap.conf —
default_eap_type = tls
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 4096
tls {
certdir = ${confdir}/user-certs
cadir = ${confdir}/user-certs
private_key_file = ${certdir}/server.key
certificate_file = ${certdir}/server.crt
CA_file = ${confdir}/certs/allcas.crt
dh_file = ${confdir}/certs/dh
random_file = ${confdir}/certs/random
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
#cache {
#enable = yes
#lifetime = 12 # hours
#max_entries = 255
#}
}
ttls {
default_eap_type = mschapv2
copy_request_to_tunnel = yes
use_tunneled_reply = yes
#virtual_server = "inner-tunnel"
}
peap {
default_eap_type = mschapv2
copy_request_to_tunnel = yes
use_tunneled_reply = yes
#virtual_server = "inner-tunnel"
}
mschapv2 {
}
—
debug output:
rad_recv: Access-Request packet from host 111.222.333.444 port 1645, id=196, length=286
User-Name = "CP-7841-SEPDCEB94CF21FA"
Service-Type = Framed-User
Cisco-AVPair = "service-type=Framed"
Framed-MTU = 9216
Called-Station-Id = "84-80-2D-47-CC-0D"
Calling-Station-Id = "DC-EB-94-CF-21-FA"
EAP-Message = 0x0201001c0143502d373834312d534550444345423934434632314641
Message-Authenticator = 0x6e734e719fdd0b92819587a021164920
Cisco-AVPair = "audit-session-id=C1AB9E16000003C10E2DC71C"
Cisco-AVPair = "method=dot1x"
NAS-IP-Address = 111.222.333.444
NAS-Port = 60000
NAS-Port-Id = "GigabitEthernet117/2/0/13"
NAS-Port-Type = Ethernet
server v_dot1x {
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/v_dot1x
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand: /var/log/radacct/%{Client-IP-Address}/auth-detail.log -> /var/log/radacct/111.222.333.444/auth-detail.log
[auth_log] /var/log/radacct/%{Client-IP-Address}/auth-detail.log expands to /var/log/radacct/111.222.333.444/auth-detail.log
[auth_log] expand: %t -> Mon Jul 20 09:52:54 2015
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "CP-7841-SEPDCEB94CF21FA", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "CP-7841-SEPDCEB94CF21FA"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap-v_dot1x] EAP packet type response id 1 length 28
[eap-v_dot1x] No EAP Start, assuming it's an on-going EAP conversation
++[eap-v_dot1x] returns updated
rlm_dbm: try open database file: /usr/local/etc/raddb/users-dot1x_dbm
rlm_dbm: Call parse_user:
sm_parse_user.c: check for loops
Add CP-7841-SEPDCEB94CF21FA to user list
sm_parse_user: start parsing: user: CP-7841-SEPDCEB94CF21FA
parse buffer: <<>>
rlm_dbm: recod parsed
process pattern
rlm_dbm: Pattern matched, look for request
parse buffer: <<Cisco-AVPair = "device-traffic-class=voice", Cisco-AVPair += "subscriber:service-name=PHONES">>
rlm_dbm: recod parsed
rlm_dbm: Reply found
Remove CP-7841-SEPDCEB94CF21FA from user list
++[users-dot1x] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = eap-v_dot1x
# Executing group from file /usr/local/etc/raddb/sites-enabled/v_dot1x
+- entering group authenticate {...}
[eap-v_dot1x] EAP Identity
[eap-v_dot1x] processing type tls
[tls] Requiring client certificate
[tls] Initiate
[tls] Start returned 1
++[eap-v_dot1x] returns handled
} # server v_dot1x
Sending Access-Challenge of id 196 to 111.222.333.444 port 1645
Cisco-AVPair = "device-traffic-class=voice"
Cisco-AVPair += "subscriber:service-name=PHONES"
EAP-Message = 0x010200060d20
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x77057cce7707711b016ba7ac0a5a3d56
Finished request 462.
Going to the next request
Waking up in 0.2 seconds.
rad_recv: Access-Request packet from host 111.222.333.444 port 1645, id=197, length=400
User-Name = "CP-7841-SEPDCEB94CF21FA"
Service-Type = Framed-User
Cisco-AVPair = "service-type=Framed"
Framed-MTU = 9216
Called-Station-Id = "84-80-2D-47-CC-0D"
Calling-Station-Id = "DC-EB-94-CF-21-FA"
EAP-Message = 0x0202007c0d8000000072160301006d01000069030356539e2e932132392e6c3258b6c47c4cddf0a003025e7f3c1f10a5343859e06100000ac030c02f0035002f00ff01000036000b000403000102000a000a00080019001800170013000d001c001a0000040105010601030102010101020204030503060303030203
Message-Authenticator = 0x18e2f1ae2927b7a72c339b23a9c4dc55
Cisco-AVPair = "audit-session-id=C1AB9E16000003C10E2DC71C"
Cisco-AVPair = "method=dot1x"
NAS-IP-Address = 111.222.333.444
NAS-Port = 60000
NAS-Port-Id = "GigabitEthernet117/2/0/13"
NAS-Port-Type = Ethernet
State = 0x77057cce7707711b016ba7ac0a5a3d56
server v_dot1x {
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/v_dot1x
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand: /var/log/radacct/%{Client-IP-Address}/auth-detail.log -> /var/log/radacct/111.222.333.444/auth-detail.log
[auth_log] /var/log/radacct/%{Client-IP-Address}/auth-detail.log expands to /var/log/radacct/111.222.333.444/auth-detail.log
[auth_log] expand: %t -> Mon Jul 20 09:52:55 2015
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "CP-7841-SEPDCEB94CF21FA", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "CP-7841-SEPDCEB94CF21FA"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap-v_dot1x] EAP packet type response id 2 length 124
[eap-v_dot1x] No EAP Start, assuming it's an on-going EAP conversation
++[eap-v_dot1x] returns updated
rlm_dbm: try open database file: /usr/local/etc/raddb/users-dot1x_dbm
rlm_dbm: Call parse_user:
sm_parse_user.c: check for loops
Add CP-7841-SEPDCEB94CF21FA to user list
sm_parse_user: start parsing: user: CP-7841-SEPDCEB94CF21FA
parse buffer: <<>>
rlm_dbm: recod parsed
process pattern
rlm_dbm: Pattern matched, look for request
parse buffer: <<Cisco-AVPair = "device-traffic-class=voice", Cisco-AVPair += "subscriber:service-name=PHONES">>
rlm_dbm: recod parsed
rlm_dbm: Reply found
Remove CP-7841-SEPDCEB94CF21FA from user list
++[users-dot1x] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = eap-v_dot1x
# Executing group from file /usr/local/etc/raddb/sites-enabled/v_dot1x
+- entering group authenticate {...}
[eap-v_dot1x] Request found, released from the list
[eap-v_dot1x] EAP/tls
[eap-v_dot1x] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
TLS Length 114
[tls] Length Included
[tls] eaptls_verify returned 11
[tls] (other): before/accept initialization
[tls] TLS_accept: before/accept initialization
[tls] <<< TLS 1.0 Handshake [length 006d], ClientHello
[tls] TLS_accept: SSLv3 read client hello A
[tls] >>> TLS 1.0 Handshake [length 0031], ServerHello
[tls] TLS_accept: SSLv3 write server hello A
[tls] >>> TLS 1.0 Handshake [length 121f], Certificate
[tls] TLS_accept: SSLv3 write certificate A
[tls] >>> TLS 1.0 Handshake [length 0207], CertificateRequest
[tls] TLS_accept: SSLv3 write certificate request A
[tls] TLS_accept: SSLv3 flush data
[tls] TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[tls] eaptls_process returned 13
++[eap-v_dot1x] returns handled
} # server v_dot1x
Sending Access-Challenge of id 197 to 111.222.333.444 port 1645
Cisco-AVPair = "device-traffic-class=voice"
Cisco-AVPair += "subscriber:service-name=PHONES"
EAP-Message = 0x010304000dc00000146616030100310200002d030155aca8d7e81b8b3da4c459be39a8dde18295a38a91bea822ec2cfcb78fa0822a000035000005ff01000100160301121f0b00121b0012180004f6308204f2308203daa003020102021023c7cef71fc211363fa31e717c9041e2300d06092a864886f70d01010505003036310b3009060355040613024e4c310f300d060355040a1306544552454e41311630140603550403130d544552454e412053534c204341301e170d3132313231303030303030305a170d3135313231303233353935395a3079310b300906035504061302415431323030060355040a1329566f7261726c6265726720556e69
EAP-Message = 0x76657273697479206f66204170706c69656420536369656e636573311d301b060355040b1314496e666f726d6174696f6e205365727669636573311730150603550403130e656475726f616d2e6668762e617430820122300d06092a864886f70d01010105000382010f003082010a0282010100b8a1cd6fb3a2c64e4a7c3a29878251f475c356197216a9a0d64e6398307f32ec33f9a84023a5befde1346fc273ff4d1bd10b3f7a694fc3181a7d3a042ec3f5c427653b2e2c274e574c90104d8b843f10d8eb1ea2bf50b773bd9a77d763a6d15b4cd3e7d486a1c23ad515d2b3ab82b87bd89cfc42ee7fade1c3c7ba56d7111fdc7e0d0ab7f320a949e8
EAP-Message = 0xe25d905dba11fab8b46a50b79ba2bf96d5946f6ecbe27b098b6b9db9e6d9eb6d4c70498b463e0f9ed841d353fd1c5241d1b1d53bfaabadd6f3f318af047b090ecd4bdc2e66922e437fe91e241f0943b5fa16cbc27d60cb54e3120fcc0917e0c2fd13247eb33d09d22ebdafad9eb7e705ecc2e77866a4c90203010001a38201b7308201b3301f0603551d230418301680140cbd93680cf3deaba3496b2b375747ea90e3b9ed301d0603551d0e041604146ec40797cfbd94fb36d92f764970563218f4d65a300e0603551d0f0101ff0404030205a0300c0603551d130101ff04023000301d0603551d250416301406082b0601050507030106082b060105
EAP-Message = 0x0507030230180603551d200411300f300d060b2b06010401b2310102021d303a0603551d1f04333031302fa02da02b8629687474703a2f2f63726c2e7463732e746572656e612e6f72672f544552454e4153534c43412e63726c306d06082b060105050701010461305f303506082b060105050730028629687474703a2f2f6372742e7463732e746572656e612e6f72672f544552454e4153534c43412e637274302606082b06010505073001861a687474703a2f2f6f6373702e7463732e746572656e612e6f7267306f0603551d1104683066820e656475726f616d2e6668762e6174820f656475726f616d312e6668762e6174820f656475726f61
EAP-Message = 0x6d322e6668762e6174821872
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x77057cce7606711b016ba7ac0a5a3d56
Finished request 463.
Going to the next request
Waking up in 0.1 seconds.
rad_recv: Access-Request packet from host 111.222.333.444 port 1645, id=198, length=282
User-Name = "CP-7841-SEPDCEB94CF21FA"
Service-Type = Framed-User
Cisco-AVPair = "service-type=Framed"
Framed-MTU = 9216
Called-Station-Id = "84-80-2D-47-CC-0D"
Calling-Station-Id = "DC-EB-94-CF-21-FA"
EAP-Message = 0x020300060d00
Message-Authenticator = 0x33e76f51ba9e31652e48e06e41fa52dd
Cisco-AVPair = "audit-session-id=C1AB9E16000003C10E2DC71C"
Cisco-AVPair = "method=dot1x"
NAS-IP-Address = 111.222.333.444
NAS-Port = 60000
NAS-Port-Id = "GigabitEthernet117/2/0/13"
NAS-Port-Type = Ethernet
State = 0x77057cce7606711b016ba7ac0a5a3d56
server v_dot1x {
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/v_dot1x
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand: /var/log/radacct/%{Client-IP-Address}/auth-detail.log -> /var/log/radacct/111.222.333.444/auth-detail.log
[auth_log] /var/log/radacct/%{Client-IP-Address}/auth-detail.log expands to /var/log/radacct/111.222.333.444/auth-detail.log
[auth_log] expand: %t -> Mon Jul 20 09:52:55 2015
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "CP-7841-SEPDCEB94CF21FA", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "CP-7841-SEPDCEB94CF21FA"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap-v_dot1x] EAP packet type response id 3 length 6
[eap-v_dot1x] No EAP Start, assuming it's an on-going EAP conversation
++[eap-v_dot1x] returns updated
rlm_dbm: try open database file: /usr/local/etc/raddb/users-dot1x_dbm
rlm_dbm: Call parse_user:
sm_parse_user.c: check for loops
Add CP-7841-SEPDCEB94CF21FA to user list
sm_parse_user: start parsing: user: CP-7841-SEPDCEB94CF21FA
parse buffer: <<>>
rlm_dbm: recod parsed
process pattern
rlm_dbm: Pattern matched, look for request
parse buffer: <<Cisco-AVPair = "device-traffic-class=voice", Cisco-AVPair += "subscriber:service-name=PHONES">>
rlm_dbm: recod parsed
rlm_dbm: Reply found
Remove CP-7841-SEPDCEB94CF21FA from user list
++[users-dot1x] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = eap-v_dot1x
# Executing group from file /usr/local/etc/raddb/sites-enabled/v_dot1x
+- entering group authenticate {...}
[eap-v_dot1x] Request found, released from the list
[eap-v_dot1x] EAP/tls
[eap-v_dot1x] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] Received TLS ACK
[tls] ACK handshake fragment handler
[tls] eaptls_verify returned 1
[tls] eaptls_process returned 13
++[eap-v_dot1x] returns handled
} # server v_dot1x
Sending Access-Challenge of id 198 to 111.222.333.444 port 1645
Cisco-AVPair = "device-traffic-class=voice"
Cisco-AVPair += "subscriber:service-name=PHONES"
EAP-Message = 0x010404000dc0000014666164697573312d656475726f616d2e75636c762e6e65748218726164697573322d656475726f616d2e75636c762e6e6574300d06092a864886f70d010105050003820101004289ca0d398d3b5945da6a7c12bf1920a2d63b412da2f57719e5174b9c72d8fb85ab3882caa212b2b3f4bfb324264d438100aecff461287ed584de2830549266e64ae6e0238b21e98a6e7fa3807c5571a280d2dea3f5a6275377438b39b89a962071dc78f5e5eb6c8bd42e489a9ee590c66a7d8d9f26271007433e9b2c986e1d438a6b5c933f4c4302c8a562654bb62f00d27970cb819d9e1396eabe9b5496cfbe7224254527d137987300d929bf
EAP-Message = 0xd9b6693867ee7e6834347fb7b988c0520c90b8b9e9ed17100118f16880d09d3f95ddcf3a91e8ea44874edec2772001baaab3f8e8b4fb0b2ee338f3a0b7ed3b4d8665cf6e11ac7b05848c9444b973b060ab2600049c3082049830820380a00302010202104bc814032f07fa6aa4f0da29df6179ba300d06092a864886f70d0101050500308197310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d31
EAP-Message = 0x1f301d0603550403131655544e2d5553455246697273742d4861726477617265301e170d3039303531383030303030305a170d3230303533303130343833385a3036310b3009060355040613024e4c310f300d060355040a1306544552454e41311630140603550403130d544552454e412053534c20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c3e348c42f5cc1cba999fd1ba2835d8a3dad3ad0e2a4431f4d0efe352530a5691bc4e8e5c18f547ee16aa29a5c5cde3dfc02ce96b85f8f835bcc604090f8e4b63a259c5f1451ecb1e7af9e50a13155c702bdac528a7f358e82fa84ad15fea27f83103a55
EAP-Message = 0x53942c01167494546328a3f25b293d94888020e214592119b4a498e160e6f2eba2808343e0ad68f379198b6843513f8a9b41850c358c5db5f1b6e5a7c383b56b236fd4a5eb50e594f14a5fee274b141215244c0dcf628db70021ad3a320f580b5f1e9bd1df9d8ea91935502f41a9ad3bc6e045b253397f21bf221a875c34ae526f077da20b4e9f2b79a67d13ddf57f837c2f5a5d77787891a014bf7d0203010001a382013e3082013a301f0603551d23041830168014a1725f261b289843955d0737d585969d4bd2c345301d0603551d0e041604140cbd93680cf3deaba3496b2b375747ea90e3b9ed300e0603551d0f0101ff04040302010630120603
EAP-Message = 0x551d130101ff040830060101
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x77057cce7501711b016ba7ac0a5a3d56
Finished request 464.
Going to the next request
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3493 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20150720/22cdc4ec/attachment-0001.bin>
More information about the Freeradius-Users
mailing list