multiple Certificate Authority
kas mataz
kaszmat at hotmail.com
Thu Aug 28 19:35:11 CEST 2008
Due to acquisition of companies, we now need to support multiple Certificate Authorities.
Wireless is successful in v2.0.5 using EAP-TLS with one eap instance for Company1, but when
I add a second eap instance for Company2, eap fails for Company1.
Is there a means to evaluate the certificate Issuer in the early part of the communication using a unlang statement?
Is there a specific key word to use for the certificate issuer?
It seems like the configuration needs just a few changes to be successful.
rad_recv: Access-Request packet from host 10.252.255.18 port 32770, id=37, length=1507
User-Name = "Test User (Company 1)"
Calling-Station-Id = "00-13-CE-DD-D4-85"
Called-Station-Id = "00-0A-85-65-3E-80:WIFI3D"
NAS-Port = 29
NAS-IP-Address = 10.252.255.18
NAS-Identifier = "wc-05"
Airespace-Wlan-Id = 1
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "798"
EAP-Message = 0x021f05110d800000050716030104d70b0003c70003c40003c1308203bd308202a5a00302010202030124b5300d06092a864886f70d0101050500306f310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a4275726c696e67616d65310c300a060355040a130344484c3110300e060355040b130753797374656d73311630140603550403130d44484c20476c6f62616c204341301e170d3036313231353232353933345a170d3038313231343232353933345a30818a3110300e060355040a130764686c2e636f6d310b3009060355040b13027573310b300906035504071302616d311f30
EAP-Message = 0x1d060355040313164a756479204d2046656c646572202844484c205553293122302006092a864886f70d01090116134a7564792e46656c6465724064686c2e636f6d31173015060a0992268993f22c64010113076a66656c64657230819f300d06092a864886f70d010101050003818d0030818902818100a90faf75166496dd2657307e9bc3164667ef4af9a0ce20e74a8f644f1d6b6afb240524313173ab41aca3f8d7fc4ff39f592225e8f93f70e9cbe17e2adde9e2968cc7bca1284feb0b81edf6acdf0fc5f110b781ac305c7dd08e0e524582a8e6830640f88ad3a60f664ec40d7133c055a9802d4e51c65738bfbeec981b914c3f310203010001
EAP-Message = 0xa381c93081c6301106096086480186f84201010404030205a0300e0603551d0f0101ff0404030205e0301e0603551d110417301581134a7564792e46656c6465724064686c2e636f6d301f0603551d230418301680143d81b8eebd05dc3676e024514dcb1965bb18d470303506082b0601050507010104293027302506082b060105050730018619687474703a2f2f616d636d732e64686c2e636f6d2f6f63737030290603551d250422302006082b0601050507030206082b06010505070304060a2b0601040182370a0304300d06092a864886f70d010105050003820101001e6887c1a6f58d4289d05e778a93b755135e81a0c2ac624818c4afb186
EAP-Message = 0x258b022f175db3da3f7d990fa4d1044b38c08ebfbcea646257025443ad25daefb981ed60ffcfbc568586fb8c2ae402185463afe81169e043abf9b5782f67a8319b713157330e9438e5e4741d876669b856e44139eb1c67279cb2ee16ee39d9b7fc12c0f8564c55108ba0cca991120818dcbce5304121ea67db9e33ac77cdd52aa17daaac07cee4465c70b236271d4ad59a5d9d6183c049c8941b45366952a50446b36f0101baef2f3928aaa5eaade4fc5fb571a0535f20e36738b1b5a417e29fdf4031904d48430a4bc63e26c80c7f88637247469fdcd89f5ff30811e93a472f174bd41000008200803467644319b1f3681185cf76bae98b20bf5a529d
EAP-Message = 0xe395dd3d0f7f1d3e6c91c6cdaca8855c52c6f9bd84893ea1a2ae848e75070f9b1fb8ead9d2470b536737f5f6ccac4acbf6d4aec4703dfee89910c3046ec9fd06ce57c0498eb126328108c9e578d21dcd374012d34210adee04397867d450bcb787bd298ad08321a5ebcde3c70f0000820080150c570d4ee2d59103b622f1c7716f94e2313c0b4c731a9799c430963864866adce8964454c8e2c5d6ab9520262e962cf9b99ce14445c5b39100449055a505eba616a0f754290af94a70ad426edaa42fc8f91fddcf776974f6ac533efbb5372c2e244cd53ea61ac66f7cf8a5d775970cbfd3e17e971822426538143efacca6681403010001011603010020
EAP-Message = 0xfaa0905d8a278e3e6cbf563aa4ff516825708a612fd32bbd672373f61ac45934
State = 0x4edb29434bc424a7b8988b8f343c1e87
Message-Authenticator = 0x0a71963cc3baec5c6ac16ecbaaea6bb0
+- entering group authorize
++[preprocess] returns ok
rlm_realm: No '@' in User-Name = "Test User (Company 1)", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_ldap: Entering ldap_groupcmp()
expand: dc=external -> dc=external
expand: (uid=%u) -> (uid=Test User \28Company 1\29)
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=external, with filter (uid=Test User \28Company 1\29)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap::ldap_groupcmp: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
++[files] returns noop
expand: %{Huntgroup-Name} -> WIRELESS
++- entering switch %{Huntgroup-Name}
+++- entering case WIRELESS
rlm_eap: EAP packet type response id 31 length 253
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++++[eap_company1] returns updated
rlm_eap: EAP packet type response id 31 length 253
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++++[eap_useram] returns updated
rlm_eap: EAP packet type response id 31 length 253
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
+++- case WIRELESS returns updated
++- switch %{Huntgroup-Name} returns updated
rlm_checkval: Item Name: Calling-Station-Id, Value: 00-13-CE-DD-D4-85
rlm_checkval: Could not find attribute named Calling-Station-Id in check pairs
++[checkval] returns notfound
++[expiration] returns noop
rad_check_password: Found Auth-Type eap_company1
rad_check_password: Found Auth-Type eap_company2
Warning: Found 2 auth-types on request for user 'Test User (Company 1)'
auth: type "eap_company2"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/tls
rlm_eap: processing type tls
rlm_eap_tls: Authenticate
rlm_eap_tls: processing TLS
TLS Length 1287
rlm_eap_tls: Length Included
eaptls_verify returned 11
rlm_eap_tls: <<< TLS 1.0 Handshake [length 03cb], Certificate
chain-depth=1,
error=0
--> User-Name = Test User (Company 1)
--> BUF-Name = Company1 Global CA
--> subject = /C=US/ST=State/L=City/O=Company1/OU=Unit/CN=Company1 Global CA
--> issuer = /C=US/ST=State/L=City/O=Company1/OU=Unit/CN=Company1 Global CA
--> verify return:1
rlm_eap_tls: Certificate issuer (/C=US/ST=State/L=City/O=Company1/OU=Unit/CN=Company1 Global CA) does not match specified value (/O=Parent-company/O=Child-company/OU=Division/CN=Company2 User CA PS)!
chain-depth=0,
error=0
--> User-Name = Test User (Company 1)
--> BUF-Name = Test User (Company 1)
--> subject = /O=company1.com/OU=us/L=am/CN=Test User (Company 1)/emailAddress=Test.User at company1.com/UID=tuser
--> issuer = /C=US/ST=State/L=City/O=Company1/OU=Unit/CN=Company1 Global CA
--> verify return:0
rlm_eap_tls:>>> TLS 1.0 Alert [length 0002], fatal certificate_unknown
TLS Alert write:fatal:certificate unknown
TLS_accept:error in SSLv3 read client certificate B
rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails.
eaptls_process returned 13
rlm_eap: Freeing handler
++[eap_company2] returns reject
auth: Failed to validate the user.
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} -> Test User (Company 1)
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Sending Access-Reject of id 37 to 10.252.255.18 port 32770
EAP-Message = 0x041f0004
Message-Authenticator = 0x00000000000000000000000000000000
Finished request 1647.
Going to the next request
../etc/raddb/sites-available/default
authorize {
preprocess
suffix
files
switch "%{Huntgroup-Name}" {
case HARDWARE1 {
internal-uid
}
case HARDWARE2 {
internal-mail
}
case HARDWARE3 {
external-uid
}
case WIRELESS {
eap_company1
eap_company2
}
}
checkval
expiration
}
authenticate {
internal-uid
internal-mail
external-uid
eap_company1
eap_company2
}
preacct {
preprocess
acct_unique
suffix
}
accounting {
detail
radutmp
attr_filter.accounting_response
}
session {
radutmp
}
post-auth {
exec
Post-Auth-Type REJECT {
attr_filter.access_reject
}
}
pre-proxy {
}
post-proxy {
}
../modules/eap_company1
eap eap_company1 {
default_eap_type = tls
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
tls {
certdir = ${confdir}/certs
cadir = ${confdir}/certs
private_key_password =
private_key_file = ${certdir}/radius-co1.server.com.key
certificate_file = ${certdir}/radius-co1.server.com.pem
CA_file = ${cadir}/company1.pem
dh_file = ${certdir}/dh
random_file = ${certdir}/random
fragment_size = 1024
check_crl = yes
CA_path = /opt/freeradius/etc/raddb/certs
check_cert_issuer = "/C=US/ST=State/L=City/O=Company1/OU=Unit/CN=Company1 Global CA"
check_cert_cn = %{User-Name}
cipher_list = "DEFAULT"
}
copy_request_to_tunnel = no
}
../modules/eap_company2
eap eap_company2 {
default_eap_type = tls
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
tls {
certdir = ${confdir}/certs
cadir = ${confdir}/certs
private_key_password =
private_key_file = ${certdir}/radius-co2.server.key
certificate_file = ${certdir}/radius-co2.server.pem
CA_file = ${cadir}/chain-company2.pem
dh_file = ${certdir}/dh
random_file = ${certdir}/random
fragment_size = 1024
check_crl = yes
CA_path = /opt/freeradius/etc/raddb/certs
check_cert_issuer = "/O=Parent-company/O=Child-company/OU=Division/CN=Company2 User CA PS"
check_cert_cn = %{User-Name}
cipher_list = "DEFAULT"
}
copy_request_to_tunnel = no
}
Regards,
Kas
_________________________________________________________________
Be the filmmaker you always wanted to be—learn how to burn a DVD with Windows®.
http://clk.atdmt.com/MRT/go/108588797/direct/01/
More information about the Freeradius-Users
mailing list