Proxy EAP-TLS
Davide Belloni
davide.belloni at gmail.com
Thu Nov 3 11:43:07 CET 2016
Hi,
On 3 November 2016 at 00:34, Alan DeKok <aland at deployingradius.com> wrote:
> On Nov 2, 2016, at 5:38 PM, Davide Belloni <davide.belloni at gmail.com>
> wrote:
> >
> > for a SSID wireless network I'm trying, without success, to proxy EAP-TLS
> > auth (based on certificate's CN) to specific Windows RADIUS that are
> > members of two domain on AD.
>
> As always, read the debug log. You will see the EAP session being
> started on FreeRADIUS, and *then* after a few packets, the client
> certificate shows up.
>
> i.e. you can't proxy an entire EAP session based on a client certificate
> that shows up in packet 4.
>
> You *can* proxy based on User-Name. But that's (mostly) independent of
> the client certificate.
>
here's the log in question:Nov 2 16:53:15 radiusd[12046]: Received
Access-Request packet from host 172.25.1.6 port 1645, id=108, length=216
Nov 2 16:53:15 radiusd[12046]: #011User-Name = "<clienta>@<domainx>"
Nov 2 16:53:15 radiusd[12046]: #011Framed-MTU = 1400
Nov 2 16:53:15 radiusd[12046]: #011Called-Station-Id = "BC-67-1C-E8-15-40:<
SSID_S>"
Nov 2 16:53:15 radiusd[12046]: #011Calling-Station-Id = "60-57-18-9B-7A-12"
Nov 2 16:53:15 radiusd[12046]: #011Cisco-AVPair = "ssid=<SSID_S>"
Nov 2 16:53:15 radiusd[12046]: #011Service-Type = Login-User
Nov 2 16:53:15 radiusd[12046]: #011Cisco-AVPair = "service-type=Login"
Nov 2 16:53:15 radiusd[12046]: #011Message-Authenticator =
0x9c363f836b3fad2f7f01a7e4ad8cae64
Nov 2 16:53:15 radiusd[12046]: #011EAP-Message =
0x02020018017465737477696669406d616e6f72642e636f6d
Nov 2 16:53:15 radiusd[12046]: #011NAS-Port-Type = Wireless-802.11
Nov 2 16:53:15 radiusd[12046]: #011NAS-Port = 52934
Nov 2 16:53:15 radiusd[12046]: #011NAS-Port-Id = "52934"
Nov 2 16:53:15 radiusd[12046]: #011NAS-IP-Address = 172.25.1.6
Nov 2 16:53:15 radiusd[12046]: # Executing section authorize from file
/etc/raddb/sites-enabled/default
Nov 2 16:53:15 radiusd[12046]: +group authorize {
Nov 2 16:53:15 radiusd[12046]: ++policy rewrite.calling_station_id {
Nov 2 16:53:15 radiusd[12046]: +++? if ((Calling-Station-Id) &&
"%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i)
Nov 2 16:53:15 radiusd[12046]: ?? Evaluating (Calling-Station-Id) -> TRUE
Nov 2 16:53:15 radiusd[12046]: #011expand: %{Calling-Station-Id} ->
60-57-18-9B-7A-12
Nov 2 16:53:15 radiusd[12046]: #011expand: policy.mac-addr -> policy.mac-
addr
Nov 2 16:53:15 radiusd[12046]: #011expand: ^%{config:policy.mac-addr}$ ->
^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$
Nov 2 16:53:15 radiusd[12046]: ? Evaluating ("%{Calling-Station-Id}" =~
/^%{config:policy.mac-addr}$/i) -> TRUE
Nov 2 16:53:15 radiusd[12046]: +++? if ((Calling-Station-Id) &&
"%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) -> TRUE
Nov 2 16:53:15 radiusd[12046]: +++if ((Calling-Station-Id) &&
"%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) {
Nov 2 16:53:15 radiusd[12046]: ++++update request {
Nov 2 16:53:15 radiusd[12046]: #011expand: %{1}%{2}.%{3}%{4}.%{5}%{6} ->
6057.189B.7A12
Nov 2 16:53:15 radiusd[12046]: #011expand:
%{tolower:%{1}%{2}.%{3}%{4}.%{5}%{6}}
-> 6057.189b.7a12
Nov 2 16:53:15 radiusd[12046]: ++++} # update request = noop
Nov 2 16:53:15 radiusd[12046]: ++++[updated] = updated
Nov 2 16:53:15 radiusd[12046]: +++} # if ((Calling-Station-Id) &&
"%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) = updated
Nov 2 16:53:15 radiusd[12046]: +++ ... skipping else for request 902:
Preceding "if" was taken
Nov 2 16:53:15 radiusd[12046]: ++} # policy rewrite.calling_station_id =
updated
Nov 2 16:53:15 radiusd[12046]: ++policy rewrite.called_station_id {
Nov 2 16:53:15 radiusd[12046]: +++? if ((Called-Station-Id) &&
"%{Called-Station-Id}" =~ /^%{config:policy.mac-addr}(:(.+))?$/i)
Nov 2 16:53:15 radiusd[12046]: ?? Evaluating (Called-Station-Id) -> TRUE
Nov 2 16:53:15 radiusd[12046]: #011expand: %{Called-Station-Id} ->
BC-67-1C-E8-15-40:<SSID_S>
Nov 2 16:53:15 radiusd[12046]: #011expand: policy.mac-addr -> policy.mac-
addr
Nov 2 16:53:15 radiusd[12046]: #011expand: ^%{config:policy.mac-addr}(:(.+))?$
->
^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$
Nov 2 16:53:15 radiusd[12046]: ? Evaluating ("%{Called-Station-Id}" =~ /^%{
config:policy.mac-addr}(:(.+))?$/i) -> TRUE
Nov 2 16:53:15 radiusd[12046]: +++? if ((Called-Station-Id) &&
"%{Called-Station-Id}" =~ /^%{config:policy.mac-addr}(:(.+))?$/i) -> TRUE
Nov 2 16:53:15 radiusd[12046]: +++if ((Called-Station-Id) &&
"%{Called-Station-Id}" =~ /^%{config:policy.mac-addr}(:(.+))?$/i) {
Nov 2 16:53:15 radiusd[12046]: ++++update request {
Nov 2 16:53:15 radiusd[12046]: #011expand: %{1}-%{2}-%{3}-%{4}-%{5}-%{6}
-> BC-67-1C-E8-15-40
Nov 2 16:53:15 radiusd[12046]: #011expand:
%{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
-> bc-67-1c-e8-15-40
Nov 2 16:53:15 radiusd[12046]: ++++} # update request = noop
Nov 2 16:53:15 radiusd[12046]: ++++? if ("%{8}")
Nov 2 16:53:15 radiusd[12046]: #011expand: %{8} -> <SSID_S>
Nov 2 16:53:15 radiusd[12046]: ? Evaluating ("%{8}") -> TRUE
Nov 2 16:53:15 radiusd[12046]: ++++? if ("%{8}") -> TRUE
Nov 2 16:53:15 radiusd[12046]: ++++if ("%{8}") {
Nov 2 16:53:15 radiusd[12046]: +++++update request {
Nov 2 16:53:15 radiusd[12046]: #011expand: %{Called-Station-Id}:%{8} -> bc
-67-1c-e8-15-40:<SSID_S>
Nov 2 16:53:15 radiusd[12046]: +++++} # update request = noop
Nov 2 16:53:15 radiusd[12046]: ++++} # if ("%{8}") = noop
Nov 2 16:53:15 radiusd[12046]: ++++ ... skipping elsif for request 902:
Preceding "if" was taken
Nov 2 16:53:15 radiusd[12046]: ++++[updated] = updated
Nov 2 16:53:15 radiusd[12046]: +++} # if ((Called-Station-Id) &&
"%{Called-Station-Id}" =~ /^%{config:policy.mac-addr}(:(.+))?$/i) = updated
Nov 2 16:53:15 radiusd[12046]: +++ ... skipping else for request 902:
Preceding "if" was taken
Nov 2 16:53:15 radiusd[12046]: ++} # policy rewrite.called_station_id =
updated
Nov 2 16:53:15 radiusd[12046]: ++[preprocess] = ok
Nov 2 16:53:15 radiusd[12046]: ++[chap] = noop
Nov 2 16:53:15 radiusd[12046]: ++[mschap] = noop
Nov 2 16:53:15 radiusd[12046]: [suffix] Looking up realm "<domainx>" for
User-Name = "<clienta>@<domainx>"
Nov 2 16:53:15 radiusd[12046]: [suffix] No such realm "<domainx>"
Nov 2 16:53:15 radiusd[12046]: ++[suffix] = noop
Nov 2 16:53:15 radiusd[12046]: [eap] EAP packet type response id 2 length
24
Nov 2 16:53:15 radiusd[12046]: [eap] No EAP Start, assuming it's an
on-going EAP conversation
Nov 2 16:53:15 radiusd[12046]: ++[eap] = updated
Nov 2 16:53:15 radiusd[12046]: ++[unix] = notfound
Nov 2 16:53:15 radiusd[12046]: [files] #011expand: %{Called-Station-Id} ->
bc-67-1c-e8-15-40:<SSID_S>
Nov 2 16:53:15 radiusd[12046]: [files] #011expand: %{Called-Station-Id} ->
bc-67-1c-e8-15-40:<SSID_S>
Nov 2 16:53:15 radiusd[12046]: [files] #011expand: %{Called-Station-Id} ->
bc-67-1c-e8-15-40:<SSID_S>
Nov 2 16:53:15 radiusd[12046]: [files] users: Matched entry DEFAULT at
line 55
Nov 2 16:53:15 radiusd[12046]: ++[files] = ok
Nov 2 16:53:15 radiusd[12046]: ++[expiration] = noop
Nov 2 16:53:15 radiusd[12046]: ++[logintime] = noop
Nov 2 16:53:15 radiusd[12046]: [pap] WARNING: Auth-Type already set. Not
setting to PAP
Nov 2 16:53:15 radiusd[12046]: ++[pap] = noop
Nov 2 16:53:15 radiusd[12046]: ++? if ("%{Called-Station-Id}" =~ /:<SSID_S>$/
)
Nov 2 16:53:15 radiusd[12046]: #011expand: %{Called-Station-Id} -> bc
-67-1c-e8-15-40:<SSID_S>
Nov 2 16:53:15 radiusd[12046]: ? Evaluating ("%{Called-Station-Id}" =~ /:<
SSID_S>$/) -> TRUE
Nov 2 16:53:15 radiusd[12046]: ++? if ("%{Called-Station-Id}" =~ /:<SSID_S>$/
) -> TRUE
Nov 2 16:53:15 radiusd[12046]: ++if ("%{Called-Station-Id}" =~ /:<SSID_S>$/
) {
Nov 2 16:53:15 radiusd[12046]: +++? if ("%{User-Name}" =~ /anonymous$/ )
Nov 2 16:53:15 radiusd[12046]: #011expand: %{User-Name} -> <clienta>@<
domainx>
Nov 2 16:53:15 radiusd[12046]: ? Evaluating ("%{User-Name}" =~
/anonymous$/) -> FALSE
Nov 2 16:53:15 radiusd[12046]: +++? if ("%{User-Name}" =~ /anonymous$/ )
-> FALSE
Nov 2 16:53:15 radiusd[12046]: +++? elsif ("%{User-Name}" =~ /@<domainx>$/
|| "%{User-Name}" =~ /\.<domainx>$/ || "%{User-Name}" =~ /^<domainx>\\\\/ )
Nov 2 16:53:15 radiusd[12046]: #011expand: %{User-Name} -> <clienta>@<
domainx>
Nov 2 16:53:15 radiusd[12046]: ? Evaluating ("%{User-Name}" =~ /@<domainx>$/)
-> TRUE
Nov 2 16:53:15 radiusd[12046]: ? Skipping ("%{User-Name}" =~ /\.<domainx
>$/)
Nov 2 16:53:15 radiusd[12046]: ? Skipping ("%{User-Name}" =~ /^<domainx
>\\\\/)
Nov 2 16:53:15 radiusd[12046]: +++? elsif ("%{User-Name}" =~ /@<domainx>$/
|| "%{User-Name}" =~ /\.<domainx>$/ || "%{User-Name}" =~ /^<domainx>\\\\/ )
-> TRUE
Nov 2 16:53:15 radiusd[12046]: +++elsif ("%{User-Name}" =~ /@<domainx>$/
|| "%{User-Name}" =~ /\.<domainx>$/ || "%{User-Name}" =~ /^<domainx>\\\\/ )
{
Nov 2 16:53:15 radiusd[12046]: ++++update control {
Nov 2 16:53:15 radiusd[12046]: ++++} # update control = noop
Nov 2 16:53:15 radiusd[12046]: +++} # elsif ("%{User-Name}" =~ /@<domainx>$/
|| "%{User-Name}" =~ /\.<domainx>$/ || "%{User-Name}" =~ /^<domainx>\\\\/ )
= noop
Nov 2 16:53:15 radiusd[12046]: +++ ... skipping else for request 902:
Preceding "if" was taken
Nov 2 16:53:15 radiusd[12046]: ++} # if ("%{Called-Station-Id}" =~
/:<SSID_S>$/
) = noop
Nov 2 16:53:15 radiusd[12046]: +} # group authorize = updated
Nov 2 16:53:15 radiusd[12046]: Using Post-Auth-Type REJECT
Nov 2 16:53:15 radiusd[12046]: # Executing group from file /etc/raddb
/sites-enabled/default
Nov 2 16:53:15 radiusd[12046]: +group REJECT {
Nov 2 16:53:15 radiusd[12046]: [attr_filter.access_reject] #011expand:
%{User-Name} -> <clienta>@<domainx>
Nov 2 16:53:15 radiusd[12046]: ++[attr_filter.access_reject] = updated
Nov 2 16:53:15 radiusd[12046]: +} # group REJECT = updated
Nov 2 16:53:15 radiusd[12046]: Delaying reject of request 902 for 1 seconds
I can't see the client certificate, do you think that I'm executing not an
EAP-TLS auth?
And why, if the last ulang check is TRUE, the request isn't proxied?
>
> > For example what I want to obtain is that:
> >
> > - EAP-TLS of client A, member of domain X, is proxied by Freeradius to
> > RADIUS/AD of that domain
> > - EAP-TLS of client B, member of domain Y, is proxied by Freeradius to
> > RADIUS/AD of that domain
> > - EAP-TLS of client C, member of any domain, is managed by file user
>
> "client" or User-Name? It matters.
>
User-Name, that I think is retrieved from certificate's CN by Windows. Is
it not correct?
>
> > I've obtained a similar setup for EAP-TTLS using this configuration in
> > inner-tunnel authorize section:
>
> EAP-TLS mostly don't have an inner-tunnel authorize section. Also, if
> you're proxying EAP-TLS, you need to proxy the outer session, not the inner
> one.
>
Yes, I've done the same setup for outer session (default)
>
> > if ("%{Called-Station-Id}" =~ /:SSID_S$/ ) {
> > if ("%{User-Name}" =~ /@domainx.com$/ || "%{User-Name}" =~
> /\.
> > domainx.com$/ || "%{User-Name}" =~ /^DOMAINX\\\\/ ) {
> > update control {
> > Proxy-To-Realm := 'AD_DOMAINX'
> > }
> > }
> > }
>
> Which proxies the *inner* authentication to the other server. It
> doesn't proxy the EAP-TTLS exchange.
>
>
Yes
> And you can't proxy based on EAP type (TLS or TTLS), because that comes
> in the second packet of the EAP exchange.
>
OK
>
> > Is it possible to obtain this setup with EAP-TLS? How?
>
> Maybe.
>
> The simplest thing by far is to just proxy domain A to server A, and
> domain B to server B. That's what the "realms" configuration does.
>
I'm trying this setup because with "realms" configuration I can't filter
the SSID
Thanks
> Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
>
--
Davide Belloni
http://about.me/davidebelloni
http://www.linkedin.com/in/davidebelloni
More information about the Freeradius-Users
mailing list