Hi,
The implementation looks at where the certificates are in the chain, as supplied by OpenSSL. I guess it passes the certificates in a different order for outgoing connections?
Or maybe if you're not supplying a client cert, the other end server cert shows up at offset 0, which is typically the client cert.
So are you using a client cert for radsec?
Yes.
Could these attributes be duplicated for -Server and be populated as such during outbound connections? I don't want to change existing behavior, but we can add a configuration flag saying "whoops, use a better order".
Sure, that's fine. Here is the full debug output, from dynamic discover to final response, if that's useful; one can see a bit of confusion... the "server" certificate attribs get populated with a few *issuer* certificate details; and then the "client" certificate ones get the server cert. Ready to process requests Thread 1 waiting to be assigned a request Threads: total/active/spare threads = 5/0/5 Waking up in 0.3 seconds. Thread 5 got semaphore Thread 5 handling request 0, (1 handled so far) (0) Received Access-Request Id 145 from 127.0.0.1:46707 to 127.0.0.1:11812 length 108 (0) User-Name = "stefan@guest.showcase.surfnet.nl" (0) User-Password = "test123" (0) NAS-IP-Address = 158.64.1.52 (0) NAS-Port = 123 (0) Message-Authenticator = 0xfff0d0edbfc17b2c225243ae784db5f0 (0) Framed-Protocol = PPP (0) # Executing section authorize from file /opt/freeradius/3.2.0/etc/raddb/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: Looking up realm "guest.showcase.surfnet.nl" for User-Name = "stefan@guest.showcase.surfnet.nl" (0) suffix: No such realm "guest.showcase.surfnet.nl" (0) [suffix] = noop (0) eap: No EAP-Message, not doing EAP (0) [eap] = noop (0) [expiration] = noop (0) [logintime] = noop (0) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (0) pap: WARNING: Authentication will fail unless a "known good" password is available (0) [pap] = noop (0) if (User-Name =~ /@(.*)$/) { (0) if (User-Name =~ /@(.*)$/) -> TRUE (0) if (User-Name =~ /@(.*)$/) { (0) switch %{home_server_dynamic:%{1}} { (0) EXPAND %{home_server_dynamic:%{1}} (0) --> (0) case { (0) if (!control:Proxy-To-Realm) { (0) if (!control:Proxy-To-Realm) -> TRUE (0) if (!control:Proxy-To-Realm) { (0) update control { (0) Executing: %{config:prefix}/bin/naptr-eduroam-freeradius.sh %{1} %{config:prefix}: (0) EXPAND prefix (0) --> prefix (0) EXPAND %{config:prefix}/bin/naptr-eduroam-freeradius.sh (0) --> /opt/freeradius/3.2.0/bin/naptr-eduroam-freeradius.sh (0) EXPAND %{1} (0) --> guest.showcase.surfnet.nl (0) EXPAND prefix (0) --> prefix (0) EXPAND %{config:prefix} (0) --> /opt/freeradius/3.2.0 ... new connection request on command socket Listening on command file /opt/freeradius/3.2.0/var/run/radiusd/radiusd.sock Waking up in 0.1 seconds. radmin> add home_server file /opt/freeradius/3.2.0/etc/raddb/home_servers/guest.showcase.surfnet.nl including configuration file /opt/freeradius/3.2.0/etc/raddb/home_servers/guest.showcase.surfnet.nl home_server guest.showcase.surfnet.nl { ipaddr = roomkaas.eduroam.nl IPv4 address [145.100.189.5] port = 2083 type = "auth" proto = "tcp" secret = <<< secret >>> response_window = 30.000000 response_timeouts = 1 max_outstanding = 65536 zombie_period = 40 status_check = "none" ping_interval = 30 check_timeout = 4 num_answers_to_alive = 3 revive_interval = 300 limit { max_connections = 16 max_requests = 0 lifetime = 0 idle_timeout = 0 } coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } recv_coa { } } tls { verify_depth = 0 ca_path = "/usr/local/radsecproxy/config/certs/ca/" pem_file_type = yes private_key_file = "/usr/local/radsecproxy/config/certs/tld1.eduroam.lu.key" certificate_file = "/usr/local/radsecproxy/config/certs/tld1.eduroam.lu.pem" fragment_size = 1024 include_length = yes check_crl = no ca_path_reload_interval = 0 ecdh_curve = "prime256v1" tls_min_version = "1.2" } tls: Cannot set DH parameters. DH cipher suites may not work. Waking up in 0.1 seconds. ... shutting down socket command file /opt/freeradius/3.2.0/var/run/radiusd/radiusd.sock Waking up in 0.1 seconds. (0) Program returned code (0) and output 'home_server guest.showcase.surfnet.nl { ipaddr = roomkaas.eduroam .nl port = 2083 proto = tcp type = auth secret = radsec tls { certificate_file = /usr/local/rads ecproxy/config/certs/tld1.eduroam.lu.pem private_key_file = /usr/local/radsecproxy/config/certs/tld1.eduroam.lu.key ca_path = /usr/local/radsecproxy/config/certs/ca/ } }' (0) &Tmp-String-1 := home_server guest.showcase.surfnet.nl { ipaddr = roomkaas.eduroam.nl port = 2083 pr oto = tcp type = auth secret = radsec tls { certificate_file = /usr/local/radsecproxy/config/certs/tld 1.eduroam.lu.pem private_key_file = /usr/local/radsecproxy/config/certs/tld1.eduroam.lu.key ca_path = /usr/local/radsecproxy/config/certs/ca/ } } (0) } # update control = noop (0) if ("%{control:Tmp-String-1}" == "" ) { (0) if ("%{control:Tmp-String-1}" == "" ) -> FALSE (0) else { (0) update control { (0) EXPAND %{1} (0) --> guest.showcase.surfnet.nl (0) &Home-Server-Name := guest.showcase.surfnet.nl (0) } # update control = noop (0) } # else = noop (0) } # if (!control:Proxy-To-Realm) = noop (0) } # case = noop (0) } # switch %{home_server_dynamic:%{1}} = noop (0) } # if (User-Name =~ /@(.*)$/) = noop (0) } # authorize = ok (0) Proxying due to Home-Server-Name (0) Starting proxy to home server 145.100.189.5 port 2083 (0) server default { (0) } (TLS) Trying new outgoing proxy connection to proxy (0.0.0.0, 0) -> home_server (145.100.189.5, 2083) Requiring Server certificate (0) (TLS) Handshake state - before/connect initialization (0) (TLS) Handshake state - Client before/connect initialization (0) (TLS) send TLS 1.2 Handshake, ClientHello (0) (TLS) Handshake state - Client SSLv2/v3 write client hello A (0) (TLS) recv TLS 1.2 Handshake, ServerHello (0) (TLS) Handshake state - Client SSLv3 read server hello A (0) (TLS) recv TLS 1.2 Handshake, Certificate (0) (TLS) Creating attributes from server certificate (0) TLS-Cert-Serial := "01" (0) TLS-Cert-Expiration := "301103101536Z" (0) TLS-Cert-Valid-Since := "101108101536Z" (0) TLS-Cert-Subject := "/DC=org/DC=edupki/CN=eduPKI CA G 01" (0) TLS-Cert-Issuer := "/DC=org/DC=edupki/CN=eduPKI CA G 01" (0) TLS-Cert-Common-Name := "eduPKI CA G 01" (0) (TLS) Creating attributes from client certificate (0) TLS-Client-Cert-Serial := "24277d01429f0b25f81d4b36" (0) TLS-Client-Cert-Expiration := "260119100121Z" (0) TLS-Client-Cert-Valid-Since := "210120100121Z" (0) TLS-Client-Cert-Subject := "/DC=net/DC=geant/DC=eduroam/C=NL/O=SURF/CN=slagroom.eduroam.nl" (0) TLS-Client-Cert-Issuer := "/DC=org/DC=edupki/CN=eduPKI CA G 01" (0) TLS-Client-Cert-Common-Name := "slagroom.eduroam.nl" (0) TLS-Client-Cert-Subject-Alt-Name-Dns := "kookroom.eduroam.nl" (0) TLS-Client-Cert-Subject-Alt-Name-Dns := "roomkaas.eduroam.nl" (0) TLS-Client-Cert-Subject-Alt-Name-Dns := "slagroom.eduroam.nl" (0) TLS-Client-Cert-X509v3-Basic-Constraints += "CA:FALSE" (0) TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web Client Authentication, TLS Web Server Authentication" (0) TLS-Client-Cert-X509v3-Subject-Key-Identifier += "47:99:74:7C:72:47:14:93:12:67:78:B4:D5:FE:79:F5:DD:7A:5C:58" (0) TLS-Client-Cert-X509v3-Authority-Key-Identifier += "keyid:D2:F2:23:BD:4A:A1:7F:CF:A0:58:84:EB:FC:E6:5B:08:B3:CD:B4:E4\n" (0) TLS-Client-Cert-X509v3-Certificate-Policies += "Policy: 1.3.6.1.4.1.27262.1.13.1.1\nPolicy: 1.3.6.1.4.1.27262.1.13.1.1.1.4\n Policy: 1.3.6.1.4.1.25178.3.1.1\nPolicy: 1.3.6.1.4.1.25178.3.1.2\nPolicy: 1.3.6.1.4.1.27262.1.13.2.1.1.8\n" (0) TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "1.3.6.1.5.5.7.3.2" (0) TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "1.3.6.1.5.5.7.3.1" (0) (TLS) Handshake state - Client SSLv3 read server certificate A (0) (TLS) recv TLS 1.2 Handshake, CertificateRequest (0) (TLS) Handshake state - Client SSLv3 read server certificate request A (0) (TLS) recv TLS 1.2 Handshake, ServerHelloDone (0) (TLS) Handshake state - Client SSLv3 read server done A (0) (TLS) send TLS 1.2 Handshake, Certificate (0) (TLS) Handshake state - Client SSLv3 write client certificate A (0) (TLS) send TLS 1.2 Handshake, ClientKeyExchange (0) (TLS) Handshake state - Client SSLv3 write client key exchange A (0) (TLS) send TLS 1.2 Handshake, CertificateVerify (0) (TLS) Handshake state - Client SSLv3 write certificate verify A (0) (TLS) send TLS 1.2 ChangeCipherSpec (0) (TLS) Handshake state - Client SSLv3 write change cipher spec A (0) (TLS) send TLS 1.2 Handshake, Finished (0) (TLS) Handshake state - Client SSLv3 write finished A (0) (TLS) Handshake state - Client SSLv3 flush data (0) (TLS) recv TLS 1.2 ChangeCipherSpec (0) (TLS) recv TLS 1.2 Handshake, Finished (0) (TLS) Handshake state - Client SSLv3 read finished A (0) (TLS) Handshake state - SSL negotiation finished successfully Listening on proxy (158.64.1.52, 52959) -> home_server (145.100.189.5, 2083) Waking up in 0.1 seconds. (0) Proxying request to home server 145.100.189.5 port 2083 (TLS) timeout 30.000000 (0) Sent Access-Request Id 187 from 158.64.1.52:52959 to 145.100.189.5:2083 length 125 (0) User-Name = "stefan@guest.showcase.surfnet.nl" (0) User-Password = "test123" (0) NAS-IP-Address = 158.64.1.52 (0) NAS-Port = 123 (0) Message-Authenticator = 0xfff0d0edbfc17b2c225243ae784db5f0 (0) Framed-Protocol = PPP (0) Service-Type = Framed-User (0) Event-Timestamp = "Jun 3 2022 15:24:51 CEST" (0) Proxy-State = 0x313435 Thread 5 waiting to be assigned a request (0) Marking home server 145.100.189.5 port 2083 alive Waking up in 0.3 seconds. Thread 4 got semaphore Thread 4 handling request 0, (1 handled so far) (0) Clearing existing &reply: attributes (0) Received Access-Reject Id 187 from 145.100.189.5:2083 to 158.64.1.52:52959 length 59 (0) Reply-Message = "Request Denied" (0) Message-Authenticator = 0xe95018c5f256990b9ba4fd5b3b5eafde (0) Proxy-State = 0x313435 (0) server default { (0) # Executing section post-proxy from file /opt/freeradius/3.2.0/etc/raddb/sites-enabled/default (0) post-proxy { (0) eap: No pre-existing handler found (0) [eap] = noop (0) } # post-proxy = noop (0) } (0) Using Post-Auth-Type Reject (0) # Executing group from file /opt/freeradius/3.2.0/etc/raddb/sites-enabled/default (0) Post-Auth-Type REJECT { (0) attr_filter.access_reject: EXPAND %{User-Name} (0) attr_filter.access_reject: --> stefan@guest.showcase.surfnet.nl (0) attr_filter.access_reject: Matched entry DEFAULT at line 11 (0) [attr_filter.access_reject] = updated (0) [eap] = noop (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) } # Post-Auth-Type REJECT = updated (0) Delaying response for 1.000000 seconds Thread 4 waiting to be assigned a request Waking up in 0.6 seconds. (0) Sending delayed response (0) Sent Access-Reject Id 145 from 127.0.0.1:11812 to 127.0.0.1:46707 length 54 (0) Reply-Message = "Request Denied" (0) Message-Authenticator = 0xe95018c5f256990b9ba4fd5b3b5eafde Waking up in 1.9 seconds. ... cleaning up socket command file /opt/freeradius/3.2.0/var/run/radiusd/radiusd.sock Waking up in 2.0 seconds. (0) Cleaning up request packet ID 145 with timestamp +2 due to cleanup_delay was reached Ready to process requests
I'll take a look.
Alan DeKok.
- List info/subscribe/unsubscribe? Seehttp://www.freeradius.org/list/users.html
-- This email may contain information for limited distribution only, please treat accordingly. Fondation Restena, Stefan WINTER Chief Technology Officer 2, avenue de l'Université L-4365 Esch-sur-Alzette