Hi Alan, thanks for the feedback.
So I used the scriptlet below to remove the host/ section and now no longer get the error message.
if (&User-Name =~ /^host\/(.*)$/) { update request { &Cert-CN := "%{1}" } }
That's good.
However I now get the following error:
(2) if (&User-Name =~ /^host\/(.*)$/) { (2) if (&User-Name =~ /^host\/(.*)$/) -> TRUE (2) if (&User-Name =~ /^host\/(.*)$/) { (2) update request { (2) EXPAND %{1} (2) --> hostname.domain.com (2) &User-Name := hostname.domain.com
That isn't what you posted above. You're editing the User-Name, and not adding a Cert-CN attribute.
That's because when I put the unlang script above I get the following error in journalctl -xe /etc/freeradius/3.0/sites-enabled/mh-site[27]: Unknown attribute 'Cert-CN' Therefore I tried the following script (which is what I should have included above instead) in place which gave the above error: if (&User-Name =~ /^host\/(.*)$/) { update request { &User-Name := "%{1}" } }
(2) Found Auth-Type = eap (2) Found Auth-Type = eap (2) ERROR: Warning: Found 2 auth-types on request for user 'hostname.domain.com'
Don't force "Auth-Type = eap". It's wrong, and it will cause problems. Let the server figure out what to do. It will make the right decision.
Noted.
(2) eap: Identity does not match User-Name. Authentication failed
Yup.
I imagine that having now modified the username it no longer matches its identity. I'm not sure how to remediate that.
Don't modify the User-Name?
I was under the impression that the previous error:
tls: Certificate CN (mh300416.millerextra.com) does not match specified value (host/mh300416.millerextra.com)! (8) eap_tls: >>> send TLS 1.2 [length 0002] (8) eap_tls: ERROR: TLS Alert write:fatal:internal error tls: TLS_accept: Error in error
Required modifying the username to match the certificate?
Instead, add a Cert-CN, and then modify the "eap" module to check for Cert-CN, and then User-Name:
check_cert_cn = %{%{Cert-CN}:-%{User-Name}}
I've added that, but the error message before adding that and after are the same. Here are two samples from the debug log: (0) Received Access-Request Id 5 from 10.224.83.1:55126 to 10.10.251.2:1812 length 192 (0) User-Name = "host/mh301251.millerextra.com" (0) NAS-IP-Address = 127.0.0.1 (0) Called-Station-Id = "AC-17-C8-A1-BD-48:" (0) NAS-Port-Type = Ethernet (0) Service-Type = Framed-User (0) NAS-Port = 2 (0) Calling-Station-Id = "48-4D-7E-F1-EA-19" (0) Acct-Session-Id = "09359BDDFCA6B78E" (0) Framed-MTU = 1400 (0) EAP-Message = 0x0237002201686f73742f6d683330313235312e6d696c6c657265787472612e636f6d (0) Message-Authenticator = 0x03f0855274d889448947df9a9fd3424e (0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/mh-site (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) eap: Peer sent EAP Response (code 2) ID 55 length 34 (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = eap (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/mh-site (0) Auth-Type EAP { (0) eap: Peer sent packet with method EAP Identity (1) (0) eap: Calling submodule eap_tls to process data (0) eap_tls: (TLS) Initiating new session (0) eap_tls: (TLS) Setting verify mode to require certificate from client (0) eap: Sending EAP Request (code 1) ID 56 length 6 (0) eap: EAP session adding &reply:State = 0x699f699869a764e8 (0) [eap] = handled (0) } # Auth-Type EAP = handled (0) Using Post-Auth-Type Challenge (0) Post-Auth-Type sub-section not found. Ignoring. (0) session-state: Saving cached attributes (0) Framed-MTU = 994 (0) Sent Access-Challenge Id 5 from 10.10.251.2:1812 to 10.224.83.1:55126 length 64 (0) EAP-Message = 0x013800060d20 (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) State = 0x699f699869a764e8d6204fd4e9d08f1d (0) Finished request (7) Received Access-Request Id 9 from 10.225.15.1:44056 to 10.10.251.2:1812 length 342 (7) User-Name = "host/mh300163.millerextra.com" (7) NAS-IP-Address = 127.0.0.1 (7) Called-Station-Id = "E0-55-3D-89-2E-20:" (7) NAS-Port-Type = Ethernet (7) Service-Type = Framed-User (7) NAS-Port = 3 (7) Calling-Station-Id = "18-66-DA-40-C0-53" (7) Acct-Session-Id = "25ECF349CE9496B2" (7) Framed-MTU = 1400 (7) EAP-Message = 0x022600a60d800000009c160303009701000093030362b71d68d878afc7d77f055c7dd12f0cb835715834e077f7a1dafeb097a7456200002ac02cc02bc030c02f009f009ec024c023c028c027c00ac009c014c013009d009c003d003c0035002f000a01000040000500050100000000000a00080006001d00170018000b00020100000d001400120401050102010403050302030202060106030023000000170000ff01000100 (7) State = 0x00b4d7a90092daeea8e4e63457a93006 (7) Message-Authenticator = 0x0fefe8ca6f7fc30bbe5980c32a7e2dfc (7) Restoring &session-state (7) &session-state:Framed-MTU = 994 (7) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/mh-site (7) authorize { (7) policy filter_username { (7) if (&User-Name) { (7) if (&User-Name) -> TRUE (7) if (&User-Name) { (7) if (&User-Name =~ / /) { (7) if (&User-Name =~ / /) -> FALSE (7) if (&User-Name =~ /@[^@]*@/ ) { (7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (7) if (&User-Name =~ /\.\./ ) { (7) if (&User-Name =~ /\.\./ ) -> FALSE (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (7) if (&User-Name =~ /\.$/) { (7) if (&User-Name =~ /\.$/) -> FALSE (7) if (&User-Name =~ /@\./) { (7) if (&User-Name =~ /@\./) -> FALSE (7) } # if (&User-Name) = notfound (7) } # policy filter_username = notfound (7) [preprocess] = ok (7) [chap] = noop (7) eap: Peer sent EAP Response (code 2) ID 38 length 166 (7) eap: No EAP Start, assuming it's an on-going EAP conversation (7) [eap] = updated (7) [files] = noop (7) [expiration] = noop (7) [logintime] = noop (7) policy rewrite_calling_station_id { (7) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (7) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (7) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (7) update request { (7) EXPAND %{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}} (7) --> 18-66-da-40-c0-53 (7) &Calling-Station-Id := 18-66-da-40-c0-53 (7) } # update request = noop (7) [updated] = updated (7) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (7) ... skipping else: Preceding "if" was taken (7) } # policy rewrite_calling_station_id = updated (7) if (&User-Name =~ /^host\/(.*)$/) { (7) if (&User-Name =~ /^host\/(.*)$/) -> TRUE (7) if (&User-Name =~ /^host\/(.*)$/) { (7) update request { (7) EXPAND %{1} (7) --> mh300163.millerextra.com (7) &User-Name := mh300163.millerextra.com (7) } # update request = noop (7) } # if (&User-Name =~ /^host\/(.*)$/) = noop (7) if (!EAP-Message) { (7) if (!EAP-Message) -> FALSE (7) else { (7) eap: Peer sent EAP Response (code 2) ID 38 length 166 (7) eap: No EAP Start, assuming it's an on-going EAP conversation (7) [eap] = updated (7) } # else = updated (7) } # authorize = updated (7) Found Auth-Type = eap (7) Found Auth-Type = eap (7) ERROR: Warning: Found 2 auth-types on request for user 'mh300163.millerextra.com' (7) # Executing group from file /etc/freeradius/3.0/sites-enabled/mh-site (7) Auth-Type EAP { (7) eap: Expiring EAP session with state 0xdb417641db437b52 (7) eap: Finished EAP session with state 0x00b4d7a90092daee (7) eap: Previous EAP request found for state 0x00b4d7a90092daee, released from the list (7) eap: Identity does not match User-Name. Authentication failed (7) eap: Failed in handler (7) [eap] = invalid (7) } # Auth-Type EAP = invalid (7) Failed to authenticate the user (7) Using Post-Auth-Type Reject (7) Post-Auth-Type sub-section not found. Ignoring. (7) Login incorrect (Warning: Found 2 auth-types on request for user 'mh300163.millerextra.com'): [mh300163.millerextra.com] (from client MWAN-10.225.15.1 port 3 cli 18-66-da-40-c0-53) (7) Delaying response for 1.000000 seconds (7) Sending delayed response (7) Sent Access-Reject Id 9 from 10.10.251.2:1812 to 10.225.15.1:44056 length 20 ________________________________ Miller Homes Limited Registered in Scotland - SC255429 2 Lochside View, Edinburgh Park, Edinburgh, EH12 9DH Disclaimer: The Information in this e-mail is confidential and for use by the addressee(s) only. It may also be privileged. If you are not the intended recipient please notify us immediately on +44 (0) 870 336 5000 and delete the message from your computer: you may not copy or forward it, or use or disclose its contents to any other person. We do not accept any liability or responsibility for: (1) changes made to this email after it was sent, or (2) viruses transmitted through this email or any attachment. Miller Homes Limited <https://www.millerhomes.co.uk>