Upgrade 2.1 to 2.2 and EAP-TLS Problem
Hi, i will test upgrade my Freeradius 2.1.12 (Debian Wheezy) to 2.2.5 (Debian Jessie). So my configured sites for MAC authentication and sql module look like working right now. But also i have configured a eap-tls site where i can’t auth anymore. my eap.conf: eap eapcert { default_eap_type = tls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 tls { certdir = ${confdir}/certs cadir = ${certdir}/ca CA_file = ${cadir}/cacert.crt # Freeradius01 private_key_password = <secret> private_key_file = ${certdir}/Freeradius.pem certificate_file = ${certdir}/Freeradius.pem dh_file = ${certdir}/dh random_file = ${certdir}/random fragment_size = 1024 include_length = yes check_cert_cn = %{User-Name} cipher_list = "DEFAULT" check_crl = yes crl_file = ${cadir}/cacrl.pem CA_path = ${cadir} rsa_key_length = 1024 rsa_key_exchange = yes virtual_server = "kontrast" cache { enable = no lifetime = 24h max_entries = 255 } verify { } } } and my sites-enabled/kontrast look: server kontrast { listen { ipaddr = * port = 1810 type = auth virtual_server = kontrast } authorize { eapcert { ok = return } } authenticate { eapcert } post-auth{ } } in version 2.2 i got an error here: +group authorize { [eapcert] EAP packet type response id 241 length 6 [eapcert] No EAP Start, assuming it's an on-going EAP conversation ++[eapcert] = updated +} # group authorize = updated Found Auth-Type = eapcert # Executing group from file /etc/freeradius/sites-enabled/kontrast +group authenticate { rlm_eap: No EAP session matching the State variable. [eapcert] Either EAP-request timed out OR EAP-response to an unknown EAP-request [eapcert] Failed in handler ++[eapcert] = invalid +} # group authenticate = invalid Failed to authenticate the user. [tls] } # server kontrast [tls] Certifictes were rejected by the virtual server [eapcert] Handler failed in EAP/tls [eapcert] Failed in EAP select ++[eapcert] = invalid +} # group authenticate = invalid Failed to authenticate the user. } # server kontrast Delaying reject of request 13 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 13 Sending Access-Reject of id 4 to 192.168.10.167 port 39133 EAP-Message = 0x04f10004 Message-Authenticator = 0x0 anyone has an idea? kind regards OLIVER WERNER System-Administrator Kontrast Communication Services GmbH Grafenberger Allee 100, 40237 Düsseldorf, Germany Fon +49-211-91505-500 Fax +49-211-91505-530 www.kontrast.de <http://www.kontrast.de/> Amtsgericht Düsseldorf: HRB 26934 Geschäftsführer: Joachim Fischer, Anja Grote-Lutter, Leontine van der Vlist <https://www.facebook.com/kontrast.communication> <https://twitter.com/KONTRAST_de> <http://www.xing.com/companies/kontrastcommunicationservicesgmbh> <http://www.linkedin.com/company/kontrast-communication-services-gmbh> <https://vimeo.com/kontrastcs> <http://instagram.com/kontrast_de>
Hi Alan, now i have upgraded to 2.2.9 it look better, but not working… Here is the debug from request: Ready to process requests. rad_recv: Access-Request packet from host 192.168.10.167 port 39133, id=40, length=263 Acct-Session-Id = "660dc192" NAS-Port = 27 NAS-Port-Type = Wireless-802.11 User-Name = "Oliver Werner" Calling-Station-Id = "D0-03-4B-8F-37-CC" Called-Station-Id = "98-4B-E1-25-EF-10" EAP-Message = 0x02880012014f6c69766572205765726e6572 NAS-Identifier = "SG047GG0322" NAS-IP-Address = 192.168.10.167 Framed-MTU = 1496 Connect-Info = "IEEE802.1X" Framed-Protocol = PPP Service-Type = Framed-User Colubris-AVPair = "ssid=TestOliver" Colubris-AVPair = "group=Default Group" Colubris-AVPair = "incoming-vlan-id=2" Colubris-AVPair = "vsc-unique-id=7" Message-Authenticator = 0xc163dded625cfa9e61a2fcee81b3d7eb server kontrast { # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/kontrast +group authorize { [eapcert] EAP packet type response id 136 length 18 [eapcert] No EAP Start, assuming it's an on-going EAP conversation ++[eapcert] = updated +} # group authorize = updated Found Auth-Type = eapcert # Executing group from file /usr/local/etc/raddb/sites-enabled/kontrast +group authenticate { [eapcert] EAP Identity [eapcert] processing type tls [tls] Requiring client certificate [tls] Initiate [tls] Start returned 1 ++[eapcert] = handled +} # group authenticate = handled } # server kontrast Sending Access-Challenge of id 40 to 192.168.10.167 port 39133 EAP-Message = 0x018900060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xabbbf234ab32ff0a8dd5a114a8efbc82 Finished request 12. Going to the next request Waking up in 4.9 seconds. WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING: !! EAP session for state 0x60aad60a602fdb1c did not finish! WARNING: !! Please read http://wiki.freeradius.org/guide/Certificate_Compatibility WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! i test with iOS, MacBook and HP Procurve Switch. Looks an cert is not installed correctly? Kind regards OLIVER WERNER System-Administrator Kontrast Communication Services GmbH Grafenberger Allee 100, 40237 Düsseldorf, Germany Fon +49-211-91505-500 Fax +49-211-91505-530 www.kontrast.de <http://www.kontrast.de/> Amtsgericht Düsseldorf: HRB 26934 Geschäftsführer: Joachim Fischer, Anja Grote-Lutter, Leontine van der Vlist <https://www.facebook.com/kontrast.communication> <https://twitter.com/KONTRAST_de> <http://www.xing.com/companies/kontrastcommunicationservicesgmbh> <http://www.linkedin.com/company/kontrast-communication-services-gmbh> <https://vimeo.com/kontrastcs> <http://instagram.com/kontrast_de>
Am 23.03.2016 um 11:28 schrieb A.L.M.Buxey@lboro.ac.uk:
Hi,
dh_file = ${certdir}/dh
check DH key size
random_file = ${certdir}/random
urgh. change that to
random_file = /dev/urandom
I'd advise you go to 2.2.9 - many bugs/issues fixed since 2.2.5 and you might be hitting one of those....
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Mar 23, 2016, at 5:21 AM, Oliver Werner <oliver.werner@kontrast.de> wrote:
i will test upgrade my Freeradius 2.1.12 (Debian Wheezy) to 2.2.5 (Debian Jessie).
Which also changes OpenSSL, among other things. Recent versions of the 2.2 have fixes which work around OpenSSL bugs.
So my configured sites for MAC authentication and sql module look like working right now.
But also i have configured a eap-tls site where i can’t auth anymore.
Try 2.2.9 before doing anything else. Or, upgrade to 3.0. It's *much* nicer. Alan DeKok.
Hi Alan, Now i habe running version 3.0.11. i got for eap-tls requests but not Accept. Ready to process requests (9) Received Access-Request Id 155 from 192.168.10.167:39133 to 192.168.70.35:1810 length 263 (9) Acct-Session-Id = "75d427d5" (9) NAS-Port = 40 (9) NAS-Port-Type = Wireless-802.11 (9) User-Name = "Oliver Werner" (9) Calling-Station-Id = "D0-03-4B-8F-37-CC" (9) Called-Station-Id = "98-4B-E1-25-EF-00" (9) EAP-Message = 0x021b0012014f6c69766572205765726e6572 (9) NAS-Identifier = "SG047GG0322" (9) NAS-IP-Address = 192.168.10.167 (9) Framed-MTU = 1496 (9) Connect-Info = "IEEE802.1X" (9) Framed-Protocol = PPP (9) Service-Type = Framed-User (9) Colubris-AVPair = "ssid=TestOliver" (9) Colubris-AVPair = "group=Default Group" (9) Colubris-AVPair = "incoming-vlan-id=2" (9) Colubris-AVPair = "vsc-unique-id=7" (9) Message-Authenticator = 0x68c0c2482cd8dc3dfc72fec86a3bac26 (9) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/kontrast (9) authorize { (9) eapcert: Peer sent EAP Response (code 2) ID 27 length 18 (9) eapcert: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (9) [eapcert] = ok (9) } # authorize = ok (9) Found Auth-Type = eapcert (9) # Executing group from file /usr/local/etc/raddb/sites-enabled/kontrast (9) authenticate { (9) eapcert: Peer sent packet with method EAP Identity (1) (9) eapcert: Calling submodule eap_tls to process data (9) eap_tls: Initiating new EAP-TLS session (9) eap_tls: Setting verify mode to require certificate from client (9) eap_tls: [eaptls start] = request (9) eapcert: Sending EAP Request (code 1) ID 28 length 6 (9) eapcert: EAP session adding &reply:State = 0x842794b5843b9965 (9) [eapcert] = handled (9) } # authenticate = handled (9) Using Post-Auth-Type Challenge (9) Post-Auth-Type sub-section not found. Ignoring. (9) Sent Access-Challenge Id 155 from 192.168.70.35:1810 to 192.168.10.167:39133 length 0 (9) EAP-Message = 0x011c00060d20 (9) Message-Authenticator = 0x00000000000000000000000000000000 (9) State = 0x842794b5843b99652f4dda048d4c31ef (9) Finished request eap-module: eap eapcert { default_eap_type = tls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = ${max_requests} tls-config tls-common { private_key_password = <secret> private_key_file = ${certdir}/Freeradius.pem certificate_file = ${certdir}/Freeradius.pem cadir = ${certdir}/ca ca_file = ${cadir}/cacert.crt dh_file = ${certdir}/dh random_file = /dev/urandom fragment_size = 1024 include_length = yes check_crl = yes #check_all_crl = yes ca_path = ${cadir} check_cert_cn = %{User-Name} cipher_list = "DEFAULT" # OpenSSL 1.0.1f and 1.0.1g do not calculate # the EAP keys correctly. The fix is to upgrade # OpenSSL, or disable TLS 1.2 here. #disable_tlsv1_2 = no ecdh_curve = "secp384r1" cache { enable = yes lifetime = 24 # hours max_entries = 255 persist_dir = "${logdir}/tlscache" } verify { } } tls { tls = tls-common virtual_server = kontrast } } site-enable/kontrast: server kontrast { listen { ipaddr = * port = 1810 type = auth virtual_server = kontrast } authorize { eapcert { ok = return } } authenticate { eapcert } post-auth{ } } OLIVER WERNER System-Administrator Kontrast Communication Services GmbH Grafenberger Allee 100, 40237 Düsseldorf, Germany Fon +49-211-91505-500 Fax +49-211-91505-530 www.kontrast.de <http://www.kontrast.de/> Amtsgericht Düsseldorf: HRB 26934 Geschäftsführer: Joachim Fischer, Anja Grote-Lutter, Leontine van der Vlist <https://www.facebook.com/kontrast.communication> <https://twitter.com/KONTRAST_de> <http://www.xing.com/companies/kontrastcommunicationservicesgmbh> <http://www.linkedin.com/company/kontrast-communication-services-gmbh> <https://vimeo.com/kontrastcs> <http://instagram.com/kontrast_de>
Am 23.03.2016 um 13:55 schrieb Alan DeKok <aland@deployingradius.com>:
On Mar 23, 2016, at 5:21 AM, Oliver Werner <oliver.werner@kontrast.de> wrote:
i will test upgrade my Freeradius 2.1.12 (Debian Wheezy) to 2.2.5 (Debian Jessie).
Which also changes OpenSSL, among other things. Recent versions of the 2.2 have fixes which work around OpenSSL bugs.
So my configured sites for MAC authentication and sql module look like working right now.
But also i have configured a eap-tls site where i can’t auth anymore.
Try 2.2.9 before doing anything else.
Or, upgrade to 3.0. It's *much* nicer.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
What's your openssl version and client? Might be that you need to disable TLS1.2 alan
My Version is 1.0.1k-3+deb8u4 OLIVER WERNER System-Administrator Kontrast Communication Services GmbH Grafenberger Allee 100, 40237 Düsseldorf, Germany Fon +49-211-91505-500 Fax +49-211-91505-530 www.kontrast.de <http://www.kontrast.de/> Amtsgericht Düsseldorf: HRB 26934 Geschäftsführer: Joachim Fischer, Anja Grote-Lutter, Leontine van der Vlist <https://www.facebook.com/kontrast.communication> <https://twitter.com/KONTRAST_de> <http://www.xing.com/companies/kontrastcommunicationservicesgmbh> <http://www.linkedin.com/company/kontrast-communication-services-gmbh> <https://vimeo.com/kontrastcs> <http://instagram.com/kontrast_de>
Am 23.03.2016 um 17:59 schrieb Alan Buxey <A.L.M.Buxey@lboro.ac.uk>:
What's your openssl version and client? Might be that you need to disable TLS1.2
alan
participants (4)
-
A.L.M.Buxey@lboro.ac.uk -
Alan Buxey -
Alan DeKok -
Oliver Werner