Certificate Properties.

Andrew Olson anolson at gmail.com
Mon May 5 16:27:49 CEST 2008


On Mon, May 5, 2008 at 9:48 AM, Alan DeKok <aland at deployingradius.com> wrote:
> Andrew Olson wrote:
>  > Is it safe to assume that the config below is correct?  If so, is FR
>  > just not behaving in the manner that I expect.
>
>   I suggest tracing execution to see what it's doing, and why.
>

Here is the pertinent part of the trace output.  As you can see I am
able to parse the Cert SN and put it back on the request.  However, my
perl module never gets called in authenticate.  Is this because eap
returns handled?  If not, is this a bug/feature?  Maybe someone can
explain.

Thanks again,
Andrew


Waking up in 4.6 seconds.
        User-Name = "anolson"
        Framed-MTU = 1400
        Called-Station-Id = "0017.0fdf.c600"
        Calling-Station-Id = "0018.deb3.5e5c"
        Cisco-AVPair = "ssid=ANDREW_LAN"
        Service-Type = Login-User
        Message-Authenticator = 0x3eddf4e0408c74279b1bf0c90f17d90c
        EAP-Message =
0x020801280d00d40ed095ff30488b586a8ceda5f92ef0a9cb51fac92f1ac7dee807869e29da4df971734059acf05406af3ddc8df4153cba5ce44750c9343405bded491bb993ad2241d2d89a6f281e0f32d77cfb60219bf451ddd3d677bbfb8038767d7bc2d31e30e9db8d78eb26fcf56e7ff84ee52fd8870f00008200808b818f98f4b3cabdfc728e5666909742b8712f4584fb7d84863013462e11df9f4eed72584484e4670c0d65e0ee8a14ef9f85e07bc1d9df34bb47e5e1f43a27f625ffaa284c114edcb1727b0363d55205f350742de73c34533eddab02fcd5c2fc91e8fa0642e183343c879c4013621e96fa25b365a788b86b3d8ab6ddfbce28df
        EAP-Message =
0x140301000101160301002038b4b73a0064fffa192447f8343e4db08cfbb94092e8c7824af742a89102dc98
        NAS-Port-Type = Wireless-802.11
        Cisco-NAS-Port = "21961"
        NAS-Port = 21961
        State = 0x20bb0b6025b30687e24095e89d3b3f84
        NAS-IP-Address = 128.173.9.86
        NAS-Identifier = "R14-AP at 128.173.9.86"
+- entering group authorize
++[mschap] returns noop
  rlm_eap: EAP packet type response id 8 length 253
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
+- entering group EAP
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/tls
  rlm_eap: processing type tls
  rlm_eap_tls: Authenticate
  rlm_eap_tls: processing TLS
  eaptls_verify returned 7
  rlm_eap_tls: Done initial handshake
  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0afa], Certificate
chain-depth=2,
error=0
--> User-Name = anolson
--> BUF-Name = ô?ηf$Å¿??Å¿ý?Á·<?Å¿h?Å¿f$Å¿?%Å¿ô?η<?Å¿h?Å¿(?Å¿ô¤À·<?Å¿?!???%Å¿h?Å¿
--> subject = /DC=edu/DC=vt/DC=cns/C=US/ST=Virginia/L=Blacksburg/O=Virginia
Tech Communications Network Services/OU=Research and Development Root
CA
--> issuer  = /DC=edu/DC=vt/DC=cns/C=US/ST=Virginia/L=Blacksburg/O=Virginia
Tech Communications Network Services/OU=Research and Development Root
CA
--> verify return:1
chain-depth=1,
error=0
--> User-Name = anolson
--> BUF-Name = ô?ηf$Å¿??Å¿ý?Á·<?Å¿h?Å¿f$Å¿?%Å¿ô?η<?Å¿h?Å¿(?Å¿ô¤À·<?Å¿?!???%Å¿h?Å¿
--> subject = /C=US/ST=Virginia/L=Blacksburg/O=Virginia Tech
Communications Network Services/OU=Research and Development Remote
Access CA/DC=edu/DC=vt/DC=cns/serialNumber=3
--> issuer  = /DC=edu/DC=vt/DC=cns/C=US/ST=Virginia/L=Blacksburg/O=Virginia
Tech Communications Network Services/OU=Research and Development Root
CA
--> verify return:1
Adding Cert SN to request -> 1
Added Cert SN to request
        expand: %{User-Name} -> anolson
    rlm_eap_tls: checking certificate CN (anolson) with xlat'ed value (anolson)
chain-depth=0,
error=0
--> User-Name = anolson
--> BUF-Name = anolson
--> subject = /CN=anolson
--> issuer  = /C=US/ST=Virginia/L=Blacksburg/O=Virginia Tech
Communications Network Services/OU=Research and Development Remote
Access CA/DC=edu/DC=vt/DC=cns/serialNumber=3
--> verify return:1
    TLS_accept: SSLv3 read client certificate A
  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange
    TLS_accept: SSLv3 read client key exchange A
  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], CertificateVerify
    TLS_accept: SSLv3 read certificate verify A
  rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001]
  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished
    TLS_accept: SSLv3 read finished A
  rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001]
    TLS_accept: SSLv3 write change cipher spec A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished
    TLS_accept: SSLv3 write finished A
    TLS_accept: SSLv3 flush data
    (other): SSL negotiation finished successfully
SSL Connection Established
  eaptls_process returned 13
++[eap] returns handled
        EAP-Message =
0x010900350d800000002b140301000101160301002077887a2e41256c9e6b5b1af900d1da1b0cab25ba320348e52fe15c9a5ff56437
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x20bb0b6026b20687e24095e89d3b3f84
Finished request 7.
Going to the next request





>
>
>   Alan DeKok.
>
>  -
>  List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>




More information about the Freeradius-Users mailing list