eap-tls with a cisco phone
Hi, I’m trying to authenticate a Cisco IP Phone with 802.1X EAP-TLS. I added the Cisco root certs to the CA file and the CN name from the phone’s cert to the users file. But it doesn’t work. Maybe anybody can give me a hint? Thanks, Chris — eap.conf — default_eap_type = tls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 tls { certdir = ${confdir}/user-certs cadir = ${confdir}/user-certs private_key_file = ${certdir}/server.key certificate_file = ${certdir}/server.crt CA_file = ${confdir}/certs/allcas.crt dh_file = ${confdir}/certs/dh random_file = ${confdir}/certs/random fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" #cache { #enable = yes #lifetime = 12 # hours #max_entries = 255 #} } ttls { default_eap_type = mschapv2 copy_request_to_tunnel = yes use_tunneled_reply = yes #virtual_server = "inner-tunnel" } peap { default_eap_type = mschapv2 copy_request_to_tunnel = yes use_tunneled_reply = yes #virtual_server = "inner-tunnel" } mschapv2 { } — debug output: rad_recv: Access-Request packet from host 111.222.333.444 port 1645, id=196, length=286 User-Name = "CP-7841-SEPDCEB94CF21FA" Service-Type = Framed-User Cisco-AVPair = "service-type=Framed" Framed-MTU = 9216 Called-Station-Id = "84-80-2D-47-CC-0D" Calling-Station-Id = "DC-EB-94-CF-21-FA" EAP-Message = 0x0201001c0143502d373834312d534550444345423934434632314641 Message-Authenticator = 0x6e734e719fdd0b92819587a021164920 Cisco-AVPair = "audit-session-id=C1AB9E16000003C10E2DC71C" Cisco-AVPair = "method=dot1x" NAS-IP-Address = 111.222.333.444 NAS-Port = 60000 NAS-Port-Id = "GigabitEthernet117/2/0/13" NAS-Port-Type = Ethernet server v_dot1x { # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/v_dot1x +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radacct/%{Client-IP-Address}/auth-detail.log -> /var/log/radacct/111.222.333.444/auth-detail.log [auth_log] /var/log/radacct/%{Client-IP-Address}/auth-detail.log expands to /var/log/radacct/111.222.333.444/auth-detail.log [auth_log] expand: %t -> Mon Jul 20 09:52:54 2015 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "CP-7841-SEPDCEB94CF21FA", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "CP-7841-SEPDCEB94CF21FA" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap-v_dot1x] EAP packet type response id 1 length 28 [eap-v_dot1x] No EAP Start, assuming it's an on-going EAP conversation ++[eap-v_dot1x] returns updated rlm_dbm: try open database file: /usr/local/etc/raddb/users-dot1x_dbm rlm_dbm: Call parse_user: sm_parse_user.c: check for loops Add CP-7841-SEPDCEB94CF21FA to user list sm_parse_user: start parsing: user: CP-7841-SEPDCEB94CF21FA parse buffer: <<>> rlm_dbm: recod parsed process pattern rlm_dbm: Pattern matched, look for request parse buffer: <<Cisco-AVPair = "device-traffic-class=voice", Cisco-AVPair += "subscriber:service-name=PHONES">> rlm_dbm: recod parsed rlm_dbm: Reply found Remove CP-7841-SEPDCEB94CF21FA from user list ++[users-dot1x] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = eap-v_dot1x # Executing group from file /usr/local/etc/raddb/sites-enabled/v_dot1x +- entering group authenticate {...} [eap-v_dot1x] EAP Identity [eap-v_dot1x] processing type tls [tls] Requiring client certificate [tls] Initiate [tls] Start returned 1 ++[eap-v_dot1x] returns handled } # server v_dot1x Sending Access-Challenge of id 196 to 111.222.333.444 port 1645 Cisco-AVPair = "device-traffic-class=voice" Cisco-AVPair += "subscriber:service-name=PHONES" EAP-Message = 0x010200060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x77057cce7707711b016ba7ac0a5a3d56 Finished request 462. Going to the next request Waking up in 0.2 seconds. rad_recv: Access-Request packet from host 111.222.333.444 port 1645, id=197, length=400 User-Name = "CP-7841-SEPDCEB94CF21FA" Service-Type = Framed-User Cisco-AVPair = "service-type=Framed" Framed-MTU = 9216 Called-Station-Id = "84-80-2D-47-CC-0D" Calling-Station-Id = "DC-EB-94-CF-21-FA" EAP-Message = 0x0202007c0d8000000072160301006d01000069030356539e2e932132392e6c3258b6c47c4cddf0a003025e7f3c1f10a5343859e06100000ac030c02f0035002f00ff01000036000b000403000102000a000a00080019001800170013000d001c001a0000040105010601030102010101020204030503060303030203 Message-Authenticator = 0x18e2f1ae2927b7a72c339b23a9c4dc55 Cisco-AVPair = "audit-session-id=C1AB9E16000003C10E2DC71C" Cisco-AVPair = "method=dot1x" NAS-IP-Address = 111.222.333.444 NAS-Port = 60000 NAS-Port-Id = "GigabitEthernet117/2/0/13" NAS-Port-Type = Ethernet State = 0x77057cce7707711b016ba7ac0a5a3d56 server v_dot1x { # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/v_dot1x +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radacct/%{Client-IP-Address}/auth-detail.log -> /var/log/radacct/111.222.333.444/auth-detail.log [auth_log] /var/log/radacct/%{Client-IP-Address}/auth-detail.log expands to /var/log/radacct/111.222.333.444/auth-detail.log [auth_log] expand: %t -> Mon Jul 20 09:52:55 2015 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "CP-7841-SEPDCEB94CF21FA", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "CP-7841-SEPDCEB94CF21FA" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap-v_dot1x] EAP packet type response id 2 length 124 [eap-v_dot1x] No EAP Start, assuming it's an on-going EAP conversation ++[eap-v_dot1x] returns updated rlm_dbm: try open database file: /usr/local/etc/raddb/users-dot1x_dbm rlm_dbm: Call parse_user: sm_parse_user.c: check for loops Add CP-7841-SEPDCEB94CF21FA to user list sm_parse_user: start parsing: user: CP-7841-SEPDCEB94CF21FA parse buffer: <<>> rlm_dbm: recod parsed process pattern rlm_dbm: Pattern matched, look for request parse buffer: <<Cisco-AVPair = "device-traffic-class=voice", Cisco-AVPair += "subscriber:service-name=PHONES">> rlm_dbm: recod parsed rlm_dbm: Reply found Remove CP-7841-SEPDCEB94CF21FA from user list ++[users-dot1x] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = eap-v_dot1x # Executing group from file /usr/local/etc/raddb/sites-enabled/v_dot1x +- entering group authenticate {...} [eap-v_dot1x] Request found, released from the list [eap-v_dot1x] EAP/tls [eap-v_dot1x] processing type tls [tls] Authenticate [tls] processing EAP-TLS TLS Length 114 [tls] Length Included [tls] eaptls_verify returned 11 [tls] (other): before/accept initialization [tls] TLS_accept: before/accept initialization [tls] <<< TLS 1.0 Handshake [length 006d], ClientHello [tls] TLS_accept: SSLv3 read client hello A [tls] >>> TLS 1.0 Handshake [length 0031], ServerHello [tls] TLS_accept: SSLv3 write server hello A [tls] >>> TLS 1.0 Handshake [length 121f], Certificate [tls] TLS_accept: SSLv3 write certificate A [tls] >>> TLS 1.0 Handshake [length 0207], CertificateRequest [tls] TLS_accept: SSLv3 write certificate request A [tls] TLS_accept: SSLv3 flush data [tls] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [tls] eaptls_process returned 13 ++[eap-v_dot1x] returns handled } # server v_dot1x Sending Access-Challenge of id 197 to 111.222.333.444 port 1645 Cisco-AVPair = "device-traffic-class=voice" Cisco-AVPair += "subscriber:service-name=PHONES" EAP-Message = 0x010304000dc00000146616030100310200002d030155aca8d7e81b8b3da4c459be39a8dde18295a38a91bea822ec2cfcb78fa0822a000035000005ff01000100160301121f0b00121b0012180004f6308204f2308203daa003020102021023c7cef71fc211363fa31e717c9041e2300d06092a864886f70d01010505003036310b3009060355040613024e4c310f300d060355040a1306544552454e41311630140603550403130d544552454e412053534c204341301e170d3132313231303030303030305a170d3135313231303233353935395a3079310b300906035504061302415431323030060355040a1329566f7261726c6265726720556e69 EAP-Message = 0x76657273697479206f66204170706c69656420536369656e636573311d301b060355040b1314496e666f726d6174696f6e205365727669636573311730150603550403130e656475726f616d2e6668762e617430820122300d06092a864886f70d01010105000382010f003082010a0282010100b8a1cd6fb3a2c64e4a7c3a29878251f475c356197216a9a0d64e6398307f32ec33f9a84023a5befde1346fc273ff4d1bd10b3f7a694fc3181a7d3a042ec3f5c427653b2e2c274e574c90104d8b843f10d8eb1ea2bf50b773bd9a77d763a6d15b4cd3e7d486a1c23ad515d2b3ab82b87bd89cfc42ee7fade1c3c7ba56d7111fdc7e0d0ab7f320a949e8 EAP-Message = 0xe25d905dba11fab8b46a50b79ba2bf96d5946f6ecbe27b098b6b9db9e6d9eb6d4c70498b463e0f9ed841d353fd1c5241d1b1d53bfaabadd6f3f318af047b090ecd4bdc2e66922e437fe91e241f0943b5fa16cbc27d60cb54e3120fcc0917e0c2fd13247eb33d09d22ebdafad9eb7e705ecc2e77866a4c90203010001a38201b7308201b3301f0603551d230418301680140cbd93680cf3deaba3496b2b375747ea90e3b9ed301d0603551d0e041604146ec40797cfbd94fb36d92f764970563218f4d65a300e0603551d0f0101ff0404030205a0300c0603551d130101ff04023000301d0603551d250416301406082b0601050507030106082b060105 EAP-Message = 0x0507030230180603551d200411300f300d060b2b06010401b2310102021d303a0603551d1f04333031302fa02da02b8629687474703a2f2f63726c2e7463732e746572656e612e6f72672f544552454e4153534c43412e63726c306d06082b060105050701010461305f303506082b060105050730028629687474703a2f2f6372742e7463732e746572656e612e6f72672f544552454e4153534c43412e637274302606082b06010505073001861a687474703a2f2f6f6373702e7463732e746572656e612e6f7267306f0603551d1104683066820e656475726f616d2e6668762e6174820f656475726f616d312e6668762e6174820f656475726f61 EAP-Message = 0x6d322e6668762e6174821872 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x77057cce7606711b016ba7ac0a5a3d56 Finished request 463. Going to the next request Waking up in 0.1 seconds. rad_recv: Access-Request packet from host 111.222.333.444 port 1645, id=198, length=282 User-Name = "CP-7841-SEPDCEB94CF21FA" Service-Type = Framed-User Cisco-AVPair = "service-type=Framed" Framed-MTU = 9216 Called-Station-Id = "84-80-2D-47-CC-0D" Calling-Station-Id = "DC-EB-94-CF-21-FA" EAP-Message = 0x020300060d00 Message-Authenticator = 0x33e76f51ba9e31652e48e06e41fa52dd Cisco-AVPair = "audit-session-id=C1AB9E16000003C10E2DC71C" Cisco-AVPair = "method=dot1x" NAS-IP-Address = 111.222.333.444 NAS-Port = 60000 NAS-Port-Id = "GigabitEthernet117/2/0/13" NAS-Port-Type = Ethernet State = 0x77057cce7606711b016ba7ac0a5a3d56 server v_dot1x { # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/v_dot1x +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radacct/%{Client-IP-Address}/auth-detail.log -> /var/log/radacct/111.222.333.444/auth-detail.log [auth_log] /var/log/radacct/%{Client-IP-Address}/auth-detail.log expands to /var/log/radacct/111.222.333.444/auth-detail.log [auth_log] expand: %t -> Mon Jul 20 09:52:55 2015 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "CP-7841-SEPDCEB94CF21FA", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "CP-7841-SEPDCEB94CF21FA" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap-v_dot1x] EAP packet type response id 3 length 6 [eap-v_dot1x] No EAP Start, assuming it's an on-going EAP conversation ++[eap-v_dot1x] returns updated rlm_dbm: try open database file: /usr/local/etc/raddb/users-dot1x_dbm rlm_dbm: Call parse_user: sm_parse_user.c: check for loops Add CP-7841-SEPDCEB94CF21FA to user list sm_parse_user: start parsing: user: CP-7841-SEPDCEB94CF21FA parse buffer: <<>> rlm_dbm: recod parsed process pattern rlm_dbm: Pattern matched, look for request parse buffer: <<Cisco-AVPair = "device-traffic-class=voice", Cisco-AVPair += "subscriber:service-name=PHONES">> rlm_dbm: recod parsed rlm_dbm: Reply found Remove CP-7841-SEPDCEB94CF21FA from user list ++[users-dot1x] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = eap-v_dot1x # Executing group from file /usr/local/etc/raddb/sites-enabled/v_dot1x +- entering group authenticate {...} [eap-v_dot1x] Request found, released from the list [eap-v_dot1x] EAP/tls [eap-v_dot1x] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] Received TLS ACK [tls] ACK handshake fragment handler [tls] eaptls_verify returned 1 [tls] eaptls_process returned 13 ++[eap-v_dot1x] returns handled } # server v_dot1x Sending Access-Challenge of id 198 to 111.222.333.444 port 1645 Cisco-AVPair = "device-traffic-class=voice" Cisco-AVPair += "subscriber:service-name=PHONES" EAP-Message = 0x010404000dc0000014666164697573312d656475726f616d2e75636c762e6e65748218726164697573322d656475726f616d2e75636c762e6e6574300d06092a864886f70d010105050003820101004289ca0d398d3b5945da6a7c12bf1920a2d63b412da2f57719e5174b9c72d8fb85ab3882caa212b2b3f4bfb324264d438100aecff461287ed584de2830549266e64ae6e0238b21e98a6e7fa3807c5571a280d2dea3f5a6275377438b39b89a962071dc78f5e5eb6c8bd42e489a9ee590c66a7d8d9f26271007433e9b2c986e1d438a6b5c933f4c4302c8a562654bb62f00d27970cb819d9e1396eabe9b5496cfbe7224254527d137987300d929bf EAP-Message = 0xd9b6693867ee7e6834347fb7b988c0520c90b8b9e9ed17100118f16880d09d3f95ddcf3a91e8ea44874edec2772001baaab3f8e8b4fb0b2ee338f3a0b7ed3b4d8665cf6e11ac7b05848c9444b973b060ab2600049c3082049830820380a00302010202104bc814032f07fa6aa4f0da29df6179ba300d06092a864886f70d0101050500308197310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d31 EAP-Message = 0x1f301d0603550403131655544e2d5553455246697273742d4861726477617265301e170d3039303531383030303030305a170d3230303533303130343833385a3036310b3009060355040613024e4c310f300d060355040a1306544552454e41311630140603550403130d544552454e412053534c20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c3e348c42f5cc1cba999fd1ba2835d8a3dad3ad0e2a4431f4d0efe352530a5691bc4e8e5c18f547ee16aa29a5c5cde3dfc02ce96b85f8f835bcc604090f8e4b63a259c5f1451ecb1e7af9e50a13155c702bdac528a7f358e82fa84ad15fea27f83103a55 EAP-Message = 0x53942c01167494546328a3f25b293d94888020e214592119b4a498e160e6f2eba2808343e0ad68f379198b6843513f8a9b41850c358c5db5f1b6e5a7c383b56b236fd4a5eb50e594f14a5fee274b141215244c0dcf628db70021ad3a320f580b5f1e9bd1df9d8ea91935502f41a9ad3bc6e045b253397f21bf221a875c34ae526f077da20b4e9f2b79a67d13ddf57f837c2f5a5d77787891a014bf7d0203010001a382013e3082013a301f0603551d23041830168014a1725f261b289843955d0737d585969d4bd2c345301d0603551d0e041604140cbd93680cf3deaba3496b2b375747ea90e3b9ed300e0603551d0f0101ff04040302010630120603 EAP-Message = 0x551d130101ff040830060101 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x77057cce7501711b016ba7ac0a5a3d56 Finished request 464. Going to the next request
hi,
I’m trying to authenticate a Cisco IP Phone with 802.1X EAP-TLS. I added the Cisco root certs to the CA file and the CN name from the phone’s cert to the users file.
dont need to do that - its EAP-TLS - so long as the server likes the client cert (use OSCP, CRL or the EAP-TLS-CHECK module if you wish to change access-accept policies. so long as the client has a cert known/trusted by the server...and the server has a cert from same CA and knows/trusts the CA, this pretty much works out of the box. reasons it might not work? usually its because the client has the wrong time - thus the cert isnt valid yet...or has expired..usually the former alan
thanks alan. it’s not freeradius related but might be interesting: EAP-TLS is working with a Cisco 7841 (v03) but not working with the 7841 (v04)…? so if someone has experience with that kind of phone it would be interesting. chris
On 20 Jul 2015, at 10:55 , Alan Buxey <A.L.M.Buxey@lboro.ac.uk> wrote:
hi,
I’m trying to authenticate a Cisco IP Phone with 802.1X EAP-TLS. I added the Cisco root certs to the CA file and the CN name from the phone’s cert to the users file.
dont need to do that - its EAP-TLS - so long as the server likes the client cert (use OSCP, CRL or the EAP-TLS-CHECK module if you wish to change access-accept policies.
so long as the client has a cert known/trusted by the server...and the server has a cert from same CA and knows/trusts the CA, this pretty much works out of the box.
reasons it might not work? usually its because the client has the wrong time - thus the cert isnt valid yet...or has expired..usually the former
alan
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
Alan Buxey -
Christian Bösch