Hi, On 3 November 2016 at 00:34, Alan DeKok <aland@deployingradius.com> wrote:
On Nov 2, 2016, at 5:38 PM, Davide Belloni <davide.belloni@gmail.com> wrote:
for a SSID wireless network I'm trying, without success, to proxy EAP-TLS auth (based on certificate's CN) to specific Windows RADIUS that are members of two domain on AD.
As always, read the debug log. You will see the EAP session being started on FreeRADIUS, and *then* after a few packets, the client certificate shows up.
i.e. you can't proxy an entire EAP session based on a client certificate that shows up in packet 4.
You *can* proxy based on User-Name. But that's (mostly) independent of the client certificate.
here's the log in question:Nov 2 16:53:15 radiusd[12046]: Received Access-Request packet from host 172.25.1.6 port 1645, id=108, length=216 Nov 2 16:53:15 radiusd[12046]: #011User-Name = "<clienta>@<domainx>" Nov 2 16:53:15 radiusd[12046]: #011Framed-MTU = 1400 Nov 2 16:53:15 radiusd[12046]: #011Called-Station-Id = "BC-67-1C-E8-15-40:< SSID_S>" Nov 2 16:53:15 radiusd[12046]: #011Calling-Station-Id = "60-57-18-9B-7A-12" Nov 2 16:53:15 radiusd[12046]: #011Cisco-AVPair = "ssid=<SSID_S>" Nov 2 16:53:15 radiusd[12046]: #011Service-Type = Login-User Nov 2 16:53:15 radiusd[12046]: #011Cisco-AVPair = "service-type=Login" Nov 2 16:53:15 radiusd[12046]: #011Message-Authenticator = 0x9c363f836b3fad2f7f01a7e4ad8cae64 Nov 2 16:53:15 radiusd[12046]: #011EAP-Message = 0x02020018017465737477696669406d616e6f72642e636f6d Nov 2 16:53:15 radiusd[12046]: #011NAS-Port-Type = Wireless-802.11 Nov 2 16:53:15 radiusd[12046]: #011NAS-Port = 52934 Nov 2 16:53:15 radiusd[12046]: #011NAS-Port-Id = "52934" Nov 2 16:53:15 radiusd[12046]: #011NAS-IP-Address = 172.25.1.6 Nov 2 16:53:15 radiusd[12046]: # Executing section authorize from file /etc/raddb/sites-enabled/default Nov 2 16:53:15 radiusd[12046]: +group authorize { Nov 2 16:53:15 radiusd[12046]: ++policy rewrite.calling_station_id { Nov 2 16:53:15 radiusd[12046]: +++? if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) Nov 2 16:53:15 radiusd[12046]: ?? Evaluating (Calling-Station-Id) -> TRUE Nov 2 16:53:15 radiusd[12046]: #011expand: %{Calling-Station-Id} -> 60-57-18-9B-7A-12 Nov 2 16:53:15 radiusd[12046]: #011expand: policy.mac-addr -> policy.mac- addr Nov 2 16:53:15 radiusd[12046]: #011expand: ^%{config:policy.mac-addr}$ -> ^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$ Nov 2 16:53:15 radiusd[12046]: ? Evaluating ("%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) -> TRUE Nov 2 16:53:15 radiusd[12046]: +++? if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) -> TRUE Nov 2 16:53:15 radiusd[12046]: +++if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) { Nov 2 16:53:15 radiusd[12046]: ++++update request { Nov 2 16:53:15 radiusd[12046]: #011expand: %{1}%{2}.%{3}%{4}.%{5}%{6} -> 6057.189B.7A12 Nov 2 16:53:15 radiusd[12046]: #011expand: %{tolower:%{1}%{2}.%{3}%{4}.%{5}%{6}} -> 6057.189b.7a12 Nov 2 16:53:15 radiusd[12046]: ++++} # update request = noop Nov 2 16:53:15 radiusd[12046]: ++++[updated] = updated Nov 2 16:53:15 radiusd[12046]: +++} # if ((Calling-Station-Id) && "%{Calling-Station-Id}" =~ /^%{config:policy.mac-addr}$/i) = updated Nov 2 16:53:15 radiusd[12046]: +++ ... skipping else for request 902: Preceding "if" was taken Nov 2 16:53:15 radiusd[12046]: ++} # policy rewrite.calling_station_id = updated Nov 2 16:53:15 radiusd[12046]: ++policy rewrite.called_station_id { Nov 2 16:53:15 radiusd[12046]: +++? if ((Called-Station-Id) && "%{Called-Station-Id}" =~ /^%{config:policy.mac-addr}(:(.+))?$/i) Nov 2 16:53:15 radiusd[12046]: ?? Evaluating (Called-Station-Id) -> TRUE Nov 2 16:53:15 radiusd[12046]: #011expand: %{Called-Station-Id} -> BC-67-1C-E8-15-40:<SSID_S> Nov 2 16:53:15 radiusd[12046]: #011expand: policy.mac-addr -> policy.mac- addr Nov 2 16:53:15 radiusd[12046]: #011expand: ^%{config:policy.mac-addr}(:(.+))?$ -> ^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})(:(.+))?$ Nov 2 16:53:15 radiusd[12046]: ? Evaluating ("%{Called-Station-Id}" =~ /^%{ config:policy.mac-addr}(:(.+))?$/i) -> TRUE Nov 2 16:53:15 radiusd[12046]: +++? if ((Called-Station-Id) && "%{Called-Station-Id}" =~ /^%{config:policy.mac-addr}(:(.+))?$/i) -> TRUE Nov 2 16:53:15 radiusd[12046]: +++if ((Called-Station-Id) && "%{Called-Station-Id}" =~ /^%{config:policy.mac-addr}(:(.+))?$/i) { Nov 2 16:53:15 radiusd[12046]: ++++update request { Nov 2 16:53:15 radiusd[12046]: #011expand: %{1}-%{2}-%{3}-%{4}-%{5}-%{6} -> BC-67-1C-E8-15-40 Nov 2 16:53:15 radiusd[12046]: #011expand: %{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} -> bc-67-1c-e8-15-40 Nov 2 16:53:15 radiusd[12046]: ++++} # update request = noop Nov 2 16:53:15 radiusd[12046]: ++++? if ("%{8}") Nov 2 16:53:15 radiusd[12046]: #011expand: %{8} -> <SSID_S> Nov 2 16:53:15 radiusd[12046]: ? Evaluating ("%{8}") -> TRUE Nov 2 16:53:15 radiusd[12046]: ++++? if ("%{8}") -> TRUE Nov 2 16:53:15 radiusd[12046]: ++++if ("%{8}") { Nov 2 16:53:15 radiusd[12046]: +++++update request { Nov 2 16:53:15 radiusd[12046]: #011expand: %{Called-Station-Id}:%{8} -> bc -67-1c-e8-15-40:<SSID_S> Nov 2 16:53:15 radiusd[12046]: +++++} # update request = noop Nov 2 16:53:15 radiusd[12046]: ++++} # if ("%{8}") = noop Nov 2 16:53:15 radiusd[12046]: ++++ ... skipping elsif for request 902: Preceding "if" was taken Nov 2 16:53:15 radiusd[12046]: ++++[updated] = updated Nov 2 16:53:15 radiusd[12046]: +++} # if ((Called-Station-Id) && "%{Called-Station-Id}" =~ /^%{config:policy.mac-addr}(:(.+))?$/i) = updated Nov 2 16:53:15 radiusd[12046]: +++ ... skipping else for request 902: Preceding "if" was taken Nov 2 16:53:15 radiusd[12046]: ++} # policy rewrite.called_station_id = updated Nov 2 16:53:15 radiusd[12046]: ++[preprocess] = ok Nov 2 16:53:15 radiusd[12046]: ++[chap] = noop Nov 2 16:53:15 radiusd[12046]: ++[mschap] = noop Nov 2 16:53:15 radiusd[12046]: [suffix] Looking up realm "<domainx>" for User-Name = "<clienta>@<domainx>" Nov 2 16:53:15 radiusd[12046]: [suffix] No such realm "<domainx>" Nov 2 16:53:15 radiusd[12046]: ++[suffix] = noop Nov 2 16:53:15 radiusd[12046]: [eap] EAP packet type response id 2 length 24 Nov 2 16:53:15 radiusd[12046]: [eap] No EAP Start, assuming it's an on-going EAP conversation Nov 2 16:53:15 radiusd[12046]: ++[eap] = updated Nov 2 16:53:15 radiusd[12046]: ++[unix] = notfound Nov 2 16:53:15 radiusd[12046]: [files] #011expand: %{Called-Station-Id} -> bc-67-1c-e8-15-40:<SSID_S> Nov 2 16:53:15 radiusd[12046]: [files] #011expand: %{Called-Station-Id} -> bc-67-1c-e8-15-40:<SSID_S> Nov 2 16:53:15 radiusd[12046]: [files] #011expand: %{Called-Station-Id} -> bc-67-1c-e8-15-40:<SSID_S> Nov 2 16:53:15 radiusd[12046]: [files] users: Matched entry DEFAULT at line 55 Nov 2 16:53:15 radiusd[12046]: ++[files] = ok Nov 2 16:53:15 radiusd[12046]: ++[expiration] = noop Nov 2 16:53:15 radiusd[12046]: ++[logintime] = noop Nov 2 16:53:15 radiusd[12046]: [pap] WARNING: Auth-Type already set. Not setting to PAP Nov 2 16:53:15 radiusd[12046]: ++[pap] = noop Nov 2 16:53:15 radiusd[12046]: ++? if ("%{Called-Station-Id}" =~ /:<SSID_S>$/ ) Nov 2 16:53:15 radiusd[12046]: #011expand: %{Called-Station-Id} -> bc -67-1c-e8-15-40:<SSID_S> Nov 2 16:53:15 radiusd[12046]: ? Evaluating ("%{Called-Station-Id}" =~ /:< SSID_S>$/) -> TRUE Nov 2 16:53:15 radiusd[12046]: ++? if ("%{Called-Station-Id}" =~ /:<SSID_S>$/ ) -> TRUE Nov 2 16:53:15 radiusd[12046]: ++if ("%{Called-Station-Id}" =~ /:<SSID_S>$/ ) { Nov 2 16:53:15 radiusd[12046]: +++? if ("%{User-Name}" =~ /anonymous$/ ) Nov 2 16:53:15 radiusd[12046]: #011expand: %{User-Name} -> <clienta>@< domainx> Nov 2 16:53:15 radiusd[12046]: ? Evaluating ("%{User-Name}" =~ /anonymous$/) -> FALSE Nov 2 16:53:15 radiusd[12046]: +++? if ("%{User-Name}" =~ /anonymous$/ ) -> FALSE Nov 2 16:53:15 radiusd[12046]: +++? elsif ("%{User-Name}" =~ /@<domainx>$/ || "%{User-Name}" =~ /\.<domainx>$/ || "%{User-Name}" =~ /^<domainx>\\\\/ ) Nov 2 16:53:15 radiusd[12046]: #011expand: %{User-Name} -> <clienta>@< domainx> Nov 2 16:53:15 radiusd[12046]: ? Evaluating ("%{User-Name}" =~ /@<domainx>$/) -> TRUE Nov 2 16:53:15 radiusd[12046]: ? Skipping ("%{User-Name}" =~ /\.<domainx
$/) Nov 2 16:53:15 radiusd[12046]: ? Skipping ("%{User-Name}" =~ /^<domainx \\\\/) Nov 2 16:53:15 radiusd[12046]: +++? elsif ("%{User-Name}" =~ /@<domainx>$/ || "%{User-Name}" =~ /\.<domainx>$/ || "%{User-Name}" =~ /^<domainx>\\\\/ ) -> TRUE Nov 2 16:53:15 radiusd[12046]: +++elsif ("%{User-Name}" =~ /@<domainx>$/ || "%{User-Name}" =~ /\.<domainx>$/ || "%{User-Name}" =~ /^<domainx>\\\\/ ) { Nov 2 16:53:15 radiusd[12046]: ++++update control { Nov 2 16:53:15 radiusd[12046]: ++++} # update control = noop Nov 2 16:53:15 radiusd[12046]: +++} # elsif ("%{User-Name}" =~ /@<domainx>$/ || "%{User-Name}" =~ /\.<domainx>$/ || "%{User-Name}" =~ /^<domainx>\\\\/ ) = noop Nov 2 16:53:15 radiusd[12046]: +++ ... skipping else for request 902: Preceding "if" was taken Nov 2 16:53:15 radiusd[12046]: ++} # if ("%{Called-Station-Id}" =~ /:<SSID_S>$/ ) = noop Nov 2 16:53:15 radiusd[12046]: +} # group authorize = updated Nov 2 16:53:15 radiusd[12046]: Using Post-Auth-Type REJECT Nov 2 16:53:15 radiusd[12046]: # Executing group from file /etc/raddb /sites-enabled/default Nov 2 16:53:15 radiusd[12046]: +group REJECT { Nov 2 16:53:15 radiusd[12046]: [attr_filter.access_reject] #011expand: %{User-Name} -> <clienta>@<domainx> Nov 2 16:53:15 radiusd[12046]: ++[attr_filter.access_reject] = updated Nov 2 16:53:15 radiusd[12046]: +} # group REJECT = updated Nov 2 16:53:15 radiusd[12046]: Delaying reject of request 902 for 1 seconds
I can't see the client certificate, do you think that I'm executing not an EAP-TLS auth? And why, if the last ulang check is TRUE, the request isn't proxied?
For example what I want to obtain is that:
- EAP-TLS of client A, member of domain X, is proxied by Freeradius to RADIUS/AD of that domain - EAP-TLS of client B, member of domain Y, is proxied by Freeradius to RADIUS/AD of that domain - EAP-TLS of client C, member of any domain, is managed by file user
"client" or User-Name? It matters.
User-Name, that I think is retrieved from certificate's CN by Windows. Is it not correct?
I've obtained a similar setup for EAP-TTLS using this configuration in inner-tunnel authorize section:
EAP-TLS mostly don't have an inner-tunnel authorize section. Also, if you're proxying EAP-TLS, you need to proxy the outer session, not the inner one.
Yes, I've done the same setup for outer session (default)
if ("%{Called-Station-Id}" =~ /:SSID_S$/ ) { if ("%{User-Name}" =~ /@domainx.com$/ || "%{User-Name}" =~
/\.
domainx.com$/ || "%{User-Name}" =~ /^DOMAINX\\\\/ ) { update control { Proxy-To-Realm := 'AD_DOMAINX' } } }
Which proxies the *inner* authentication to the other server. It doesn't proxy the EAP-TTLS exchange.
Yes
And you can't proxy based on EAP type (TLS or TTLS), because that comes in the second packet of the EAP exchange.
OK
Is it possible to obtain this setup with EAP-TLS? How?
Maybe.
The simplest thing by far is to just proxy domain A to server A, and domain B to server B. That's what the "realms" configuration does.
I'm trying this setup because with "realms" configuration I can't filter the SSID Thanks
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
-- Davide Belloni http://about.me/davidebelloni http://www.linkedin.com/in/davidebelloni