Custom handling of EAP module reject
Hi all, I got this: (4) eap_rogue: Peer sent packet with method EAP PEAP (25) (4) eap_rogue: Calling submodule eap_peap to process data (4) eap_peap: Continuing EAP-TLS (4) eap_peap: Peer indicated complete TLS record size will be 7 bytes (4) eap_peap: Got complete TLS record (7 bytes) (4) eap_peap: [eaptls verify] = length included (4) eap_peap: <<< recv TLS 1.0 Alert [length 0002], fatal unknown_ca (4) eap_peap: ERROR: TLS Alert read:fatal:unknown CA (4) eap_peap: ERROR: TLS_accept: Failed in unknown state (4) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read) (4) eap_peap: ERROR: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca (4) eap_peap: ERROR: error:140940E5:SSL routines:ssl3_read_bytes:ssl handshake failure (4) eap_peap: ERROR: System call (I/O) error (-1) (4) eap_peap: ERROR: TLS receive handshake failed during operation (4) eap_peap: ERROR: [eaptls process] = fail (4) eap_rogue: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed (4) eap_rogue: Sending EAP Failure (code 4) ID 6 length 4 (4) eap_rogue: Failed in EAP select (4) [eap_rogue] = invalid (4) } # authenticate = invalid (4) Failed to authenticate the user (4) Login incorrect (eap_peap: TLS Alert read:fatal:unknown CA): [<redacted>] (from client OAW_4650 port 0 cli A0-88-B4-2B-7F-E8) (4) Using Post-Auth-Type Reject (4) # Executing group from file /usr/local/freeradius-3.0.13/ etc/raddb/sites-enabled/default (4) Post-Auth-Type REJECT { (4) attr_filter.access_reject: EXPAND %{User-Name} (4) attr_filter.access_reject: --> <redacted> (4) attr_filter.access_reject: Matched entry DEFAULT at line 11 (4) [attr_filter.access_reject] = updated (4) [eap_legit] = noop (4) policy remove_reply_message_if_eap { (4) if (&reply:EAP-Message && &reply:Reply-Message) { (4) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (4) else { (4) [noop] = noop (4) } # else = noop (4) } # policy remove_reply_message_if_eap = noop (4) } # Post-Auth-Type REJECT = updated (4) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (4) Sending delayed response (4) Sent Access-Reject Id 176 from 172.16.250.29:1812 to 192.168.250.242:56028 length 44 (4) EAP-Message = 0x04060004 (4) Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.9 seconds. I want to make a SQL call whenever the EAP module fails in authorize. I have tried with a redundant block but the SQL call is not a module and was ignored. How can I intercept the reject action? And, even better: How can I access from unlang to the "TLS Alert read:fatal:unknown CA" string? Thanks!
On Apr 6, 2017, at 7:29 AM, Alberto Martínez via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
I want to make a SQL call whenever the EAP module fails in authorize. I have tried with a redundant block but the SQL call is not a module and was ignored.
What does that mean? Please post EXACTLY what you did. Saying "I tried things and it didn't work" is unhelpful.
How can I intercept the reject action? And, even better: How can I access from unlang to the "TLS Alert read:fatal:unknown CA" string?
In v3, you can't. Alan DeKok.
Hello Alan, 2017-04-06 14:14 GMT+02:00 Alan DeKok <aland@deployingradius.com>:
On Apr 6, 2017, at 7:29 AM, Alberto Martínez via Freeradius-Users < freeradius-users@lists.freeradius.org> wrote:
I want to make a SQL call whenever the EAP module fails in authorize. I have tried with a redundant block but the SQL call is not a module and was ignored.
What does that mean?
Please post EXACTLY what you did. Saying "I tried things and it didn't work" is unhelpful.
I mean this: server rogue-inner-tunnel { ... authorize { .... redundant { eap_rogue "%{sql_custom:<redacted>}" } .... } ... }
How can I intercept the reject action? And, even better: How can I access from unlang to the "TLS Alert read:fatal:unknown CA" string?
In v3, you can't.
Oh, ok :( Where could I? Was it in v1 or v2 Or will be in v4? Thank you!
On Apr 6, 2017, at 8:30 AM, Alberto Martínez <alberto.martinez@deusto.es> wrote:
Please post EXACTLY what you did. Saying "I tried things and it didn't work" is unhelpful.
I mean this:
server rogue-inner-tunnel { ... authorize { .... redundant { eap_rogue "%{sql_custom:<redacted>}" } .... } ... }
<sigh> If only there was some kind of debug output where the server would tell you what it's doing, and why. As I guessed, you're running this in the inner-tunnel. If you had bothered to read the debug output, you'd see that the request sent to the inner-tunnel server doesn't have Called-Station-SSID. There are documented ways of addressing the outer attributes. See "man unlang". It would be good to learn how to (a) ask good questions, (b) follow instructions, (c) read the existing documentation, and (d) learn how to problem solve. i.e. read the debug output and pay attention to it. I have no idea why you're giving out as little information as possible. It's frustrating, and unhelpful.
How can I intercept the reject action? And, even better: How can I access from unlang to the "TLS Alert read:fatal:unknown CA" string?
In v3, you can't.
Oh, ok :( Where could I? Was it in v1 or v2
We didn't remove functionality in newer versions of the server. That just makes no sense.
Or will be in v4?
Sure. Send a patch. Alan DeKok.
Hello, Sorry for the lack of information in my first message. I was also too much focused on that error being on the inner-tunnel side that I oversaw what the debug was telling me. I've been fiddling a bit with the configuration and understanding how it works a bit better. This problem I have reamins largely the same: a well-configured client (and by well I specially mean that it validates CA and CN) is offered (on purpose) a different certificate from what it expects. I expect the client to reject it, of course, but instead of hard-rejecting it I wish I could make it retry promptly (issue another Challenge?, some different EAP-Message in the Access-Reject?), or either offer it the server certificate it expects via another eap module configuration (eap_legit). I'm pasting the latest sites-enabled/default config and relevant debug excerp: server default { listen { type = auth ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { ipaddr = * port = 0 type = acct limit { } } authorize { filter_username preprocess chap mschap suffix split_username_nai rewrite_calling_station_id ntdomain files if (!ok && request:Realm == 'NULL') { update reply { Reply-Message := 'Username should have domain' } reject } if (!ok && (&Realm == '<redacted>' || &Realm == '<redacted>')) { update control { Tmp-Integer-0 := "%{sql_rogue:SELECT COUNT(*) FROM ok_user_mac WHERE user_mac_id = (SELECT id FROM user_mac WHERE user = '%{request:User-Name}' AND mac = '%{request:Calling-Station-Id}')}" Tmp-Integer-1 := "%{sql_rogue:SELECT COUNT(*) FROM ko_user_mac WHERE user_mac_id = (SELECT id FROM user_mac WHERE user = '%{request:User-Name}' AND mac = '%{request:Calling-Station-Id}')}" } if (&control:Tmp-Integer-1 > 0) { reject } elsif (&State || &control:Tmp-Integer-0 == 0) { eap_rogue { ok = return } } else { eap_legit { ok = return } } } else { eap_legit { ok = return } } pap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } mschap eap_legit Auth-Type eap_rogue { update control { Tmp-String-0 := 'TRY' } eap_rogue update control { Tmp-String-0 !* ANY } } } preacct { preprocess rewrite_calling_station_id acct_unique suffix files } accounting { detail log_sec_acct attr_filter.accounting_response } session { } post-auth { update { &reply: += &session-state: } remove_reply_message_if_eap Post-Auth-Type REJECT { attr_filter.access_reject eap_legit remove_reply_message_if_eap if (&control:Tmp-String-0 == 'TRY') { "%{sql_rogue:CALL to_ok_user_mac('%{User-Name}', '%{Calling-Station-Id}')}" update reply { EAP-Message := 0x04060004 <---- Trying with a poorly chosen EAP-Message } } } Post-Auth-Type Challenge { } } pre-proxy { } post-proxy { eap_legit } } --------------------- (4) Found Auth-Type = eap_rogue (4) # Executing group from file /usr/local/freeradius-3.0.13/etc/raddb/sites-enabled/default (4) Auth-Type eap_rogue { (4) update control { (4) Tmp-String-0 := 'TRY' (4) } # update control = noop (4) eap_rogue: Expiring EAP session with state 0x0c576b440f5272f5 (4) eap_rogue: Finished EAP session with state 0x0c576b440f5272f5 (4) eap_rogue: Previous EAP request found for state 0x0c576b440f5272f5, released from the list (4) eap_rogue: Peer sent packet with method EAP PEAP (25) (4) eap_rogue: Calling submodule eap_peap to process data (4) eap_peap: Continuing EAP-TLS (4) eap_peap: Peer indicated complete TLS record size will be 7 bytes (4) eap_peap: Got complete TLS record (7 bytes) (4) eap_peap: [eaptls verify] = length included (4) eap_peap: <<< recv TLS 1.0 Alert [length 0002], fatal unknown_ca (4) eap_peap: ERROR: TLS Alert read:fatal:unknown CA (4) eap_peap: ERROR: TLS_accept: Failed in unknown state (4) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read) (4) eap_peap: ERROR: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca (4) eap_peap: ERROR: error:140940E5:SSL routines:ssl3_read_bytes:ssl handshake failure (4) eap_peap: ERROR: System call (I/O) error (-1) (4) eap_peap: ERROR: TLS receive handshake failed during operation (4) eap_peap: ERROR: [eaptls process] = fail (4) eap_rogue: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed (4) eap_rogue: Sending EAP Failure (code 4) ID 5 length 4 (4) eap_rogue: Failed in EAP select (4) [eap_rogue] = invalid (4) } # Auth-Type eap_rogue = invalid (4) Failed to authenticate the user (4) Login incorrect (eap_peap: TLS Alert read:fatal:unknown CA): [<redacted>] (from client OAW_4650 port 0 cli A0-88-B4-2B-7F-E8) (4) Using Post-Auth-Type Reject (4) # Executing group from file /usr/local/freeradius-3.0.13/etc/raddb/sites-enabled/default (4) Post-Auth-Type REJECT { (4) attr_filter.access_reject: EXPAND %{User-Name} (4) attr_filter.access_reject: --> <redacted> (4) attr_filter.access_reject: Matched entry DEFAULT at line 11 (4) [attr_filter.access_reject] = updated (4) [eap_legit] = noop (4) policy remove_reply_message_if_eap { (4) if (&reply:EAP-Message && &reply:Reply-Message) { (4) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (4) else { (4) [noop] = noop (4) } # else = noop (4) } # policy remove_reply_message_if_eap = noop (4) if (&control:Tmp-String-0 == 'TRY') { (4) if (&control:Tmp-String-0 == 'TRY') -> TRUE (4) if (&control:Tmp-String-0 == 'TRY') { rlm_sql (sql_edurogue): Reserved connection (4) (4) Executing select query: CALL to_ok_user_mac('<redacted>', 'A0-88-B4-2B-7F-E8') (4) SQL query returned no results rlm_sql (sql_edurogue): Released connection (4) (4) EXPAND %{sql_rogue:CALL to_ok_user_mac('%{User-Name}', '%{Calling-Station-Id}')} (4) --> (4) update reply { (4) EAP-Message := 0x04060004 (4) } # update reply = noop (4) } # if (&control:Tmp-String-0 == 'TRY') = noop (4) } # Post-Auth-Type REJECT = updated (4) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. I confess that EAP-Message is a mystery for me and I don't know yet what can it signal to the client. Thanks, Alberto
On Apr 7, 2017, at 6:26 AM, Alberto Martínez <alberto.martinez@deusto.es> wrote:
I'm pasting the latest sites-enabled/default config and relevant debug excerpt:
At this point, I'm done. I didn't ask for the configuration. I did ask for the debug output. Instead of posting it ALL, as suggested in the FAQ, "man" page, web pages, and repeatedly in this thread, you edited it, and posted only a small (edited) portion. Since you don't care enough to follow instructions, I don't care enough to help you. Alan DeKok.
2017-04-07 15:28 GMT+02:00 Alan DeKok <aland@deployingradius.com>:
On Apr 7, 2017, at 6:26 AM, Alberto Martínez <alberto.martinez@deusto.es> wrote:
I'm pasting the latest sites-enabled/default config and relevant debug excerpt:
At this point, I'm done.
I didn't ask for the configuration. I did ask for the debug output. Instead of posting it ALL, as suggested in the FAQ, "man" page, web pages, and repeatedly in this thread, you edited it, and posted only a small (edited) portion.
Since you don't care enough to follow instructions, I don't care enough to help you.
For the question I'm asking there is no need for more debug. I could send the full debug but also I would LOVE to know why is it relevant if no heavy modifications to the original configuration have be done. Since you don't care anymore I don't expect a reply to this. I'm ok with that and there is other people on the list which may actually help. For me, right now, what I want can't be done and I will have to hack my way patching the server. Have a wonderful, lovely day.
On Apr 7, 2017, at 9:42 AM, Alberto Martínez <alberto.martinez@deusto.es> wrote:
For the question I'm asking there is no need for more debug.
Yes, there is. As the newbie asking questions, you are inexperienced, and unable to judge which parts of the debug output are relevant, and which are not.
I could send the full debug but also I would LOVE to know why is it relevant if no heavy modifications to the original configuration have be done.
Because we need to see what's going on. If you refuse to tell us what's going on, you're ensuring that we are unable to help you.
Since you don't care anymore I don't expect a reply to this. I'm ok with that and there is other people on the list which may actually help.
I've been trying to help you, and you've been fighting every step of the way. This is anti-social and rude.
For me, right now, what I want can't be done and I will have to hack my way patching the server.
Have a wonderful, lovely day.
This list is for people who want to solve problems. And, for people who *work* to solve problems. If you keep complaining and refusing to follow instructions, I can unsubscribe you, and ban you permanently from the list. Don't play the "I'm better than you" game when you've been rude to the people who run the list. Alan DeKok.
participants (3)
-
Alan DeKok -
Alberto Martínez -
Alberto Martínez