Alternate server certificate
Garber, Neal
Neal.Garber at energyeast.com
Fri Jul 24 19:35:21 CEST 2009
>> - Have two instances of the EAP module (one for
>> internal SSIDs and one for guest) and select
>> which one to use with some unlang code (based upon
>> the value of 1 request attribute)
>
>That should work.
I'm having trouble getting this to work. I added
the following to my authorize section:
# Extract SSID into SSID-Name attribute
if (Cisco-AVPair =~ /ssid=(.*)/) {
update request {
SSID-Name = "%{1}"
}
}
# Select appropriate EAP instance
if (SSID-Name) {
if (SSID-Name == "XX-Barcode") {
eap-internal
}
elsif (SSID-Name == "EE-Barcode") {
eap-internal
}
else {
eap-comodo
}
}
else {
eap-comodo
}
I have two instances in modules/eap that are identical
except for the certificate_file and key_file. When I
try to connect, I see the following in the debug output
(I can provide more if needed, but I think this will
Illustrate what's happening). I then tried using the
same certificate & key file and still received the same
error:
Fri Jul 24 12:25:27 2009 : Info: ++? if (SSID-Name)
Fri Jul 24 12:25:27 2009 : Info: ? Evaluating (SSID-Name) -> FALSE
Fri Jul 24 12:25:27 2009 : Info: ++? if (SSID-Name) -> FALSE
Fri Jul 24 12:25:27 2009 : Info: ++- entering else else {...}
Fri Jul 24 12:25:27 2009 : Info: [eap-comodo] EAP packet type response id 2 length 18
Fri Jul 24 12:25:27 2009 : Info: [eap-comodo] No EAP Start, assuming it's an on-going EAP conversation
Fri Jul 24 12:25:27 2009 : Info: +++[eap-comodo] returns fail
Fri Jul 24 12:25:27 2009 : Info: ++- else else returns fail
Fri Jul 24 12:25:27 2009 : Auth: Invalid user: [BGAS\\xxxxxxxx] (from client abcd1-ab-wc01 port 1 cli 00-16-6F-16-F5-64)
Fri Jul 24 12:25:27 2009 : Info: Using Post-Auth-Type Reject
Fri Jul 24 12:25:27 2009 : Info: +- entering group REJECT {...}
So, what causes the eap module to return "fail". There are no
other messages indicating why it is failing (that I see). Here's
output at startup showing that both were instantiated:
Fri Jul 24 12:25:18 2009 : Debug: Module: Instantiating eap-internal
Fri Jul 24 12:25:18 2009 : Debug: eap eap-internal {
Fri Jul 24 12:25:18 2009 : Debug: default_eap_type = "peap"
Fri Jul 24 12:25:18 2009 : Debug: timer_expire = 60
Fri Jul 24 12:25:18 2009 : Debug: ignore_unknown_eap_types = no
Fri Jul 24 12:25:18 2009 : Debug: cisco_accounting_username_bug = no
Fri Jul 24 12:25:18 2009 : Debug: max_sessions = 2048
Fri Jul 24 12:25:18 2009 : Debug: }
Fri Jul 24 12:25:18 2009 : Debug: Module: Linked to sub-module rlm_eap_leap
Fri Jul 24 12:25:18 2009 : Debug: Module: Instantiating eap-leap
Fri Jul 24 12:25:18 2009 : Debug: Module: Linked to sub-module rlm_eap_tls
Fri Jul 24 12:25:18 2009 : Debug: Module: Instantiating eap-tls
Fri Jul 24 12:25:18 2009 : Debug: tls {
Fri Jul 24 12:25:18 2009 : Debug: rsa_key_exchange = no
Fri Jul 24 12:25:18 2009 : Debug: dh_key_exchange = yes
Fri Jul 24 12:25:18 2009 : Debug: rsa_key_length = 512
Fri Jul 24 12:25:18 2009 : Debug: dh_key_length = 512
Fri Jul 24 12:25:18 2009 : Debug: verify_depth = 0
Fri Jul 24 12:25:18 2009 : Debug: pem_file_type = yes
Fri Jul 24 12:25:18 2009 : Debug: private_key_file = "/usr/local/etc/raddb/certs/ra01-roch1-tst-internal.pem"
Fri Jul 24 12:25:18 2009 : Debug: certificate_file = "/usr/local/etc/raddb/certs/ra01-roch1-tst-internal.pem"
Fri Jul 24 12:25:18 2009 : Debug: private_key_password = "xxxxxxxx"
Fri Jul 24 12:25:18 2009 : Debug: dh_file = "/usr/local/etc/raddb/certs/dh"
Fri Jul 24 12:25:18 2009 : Debug: random_file = "/usr/local/etc/raddb/certs/random"
Fri Jul 24 12:25:18 2009 : Debug: fragment_size = 1024
Fri Jul 24 12:25:18 2009 : Debug: include_length = yes
Fri Jul 24 12:25:18 2009 : Debug: check_crl = no
Fri Jul 24 12:25:18 2009 : Debug: cipher_list = "DEFAULT"
Fri Jul 24 12:25:18 2009 : Debug: }
Fri Jul 24 12:25:18 2009 : Debug: Module: Linked to sub-module rlm_eap_peap
Fri Jul 24 12:25:18 2009 : Debug: Module: Instantiating eap-peap
Fri Jul 24 12:25:18 2009 : Debug: peap {
Fri Jul 24 12:25:18 2009 : Debug: default_eap_type = "mschapv2"
Fri Jul 24 12:25:18 2009 : Debug: copy_request_to_tunnel = yes
Fri Jul 24 12:25:18 2009 : Debug: use_tunneled_reply = no
Fri Jul 24 12:25:18 2009 : Debug: proxy_tunneled_request_as_eap = yes
Fri Jul 24 12:25:18 2009 : Debug: virtual_server = "inner-tunnel"
Fri Jul 24 12:25:18 2009 : Debug: }
Fri Jul 24 12:25:18 2009 : Debug: Module: Linked to sub-module rlm_eap_mschapv2
Fri Jul 24 12:25:18 2009 : Debug: Module: Instantiating eap-mschapv2
Fri Jul 24 12:25:18 2009 : Debug: mschapv2 {
Fri Jul 24 12:25:18 2009 : Debug: with_ntdomain_hack = no
Fri Jul 24 12:25:18 2009 : Debug: }
Fri Jul 24 12:25:18 2009 : Debug: Module: Checking authorize {...} for more modules to load
Fri Jul 24 12:25:18 2009 : Debug: (Loaded rlm_preprocess, checking if it's valid)
Fri Jul 24 12:25:18 2009 : Debug: Module: Linked to module rlm_preprocess
Fri Jul 24 12:25:18 2009 : Debug: Module: Instantiating preprocess
Fri Jul 24 12:25:18 2009 : Debug: preprocess {
Fri Jul 24 12:25:18 2009 : Debug: huntgroups = "/usr/local/etc/raddb/huntgroups"
Fri Jul 24 12:25:18 2009 : Debug: hints = "/usr/local/etc/raddb/hints"
Fri Jul 24 12:25:18 2009 : Debug: with_ascend_hack = no
Fri Jul 24 12:25:18 2009 : Debug: ascend_channels_per_line = 23
Fri Jul 24 12:25:18 2009 : Debug: with_ntdomain_hack = no
Fri Jul 24 12:25:18 2009 : Debug: with_specialix_jetstream_hack = no
Fri Jul 24 12:25:18 2009 : Debug: with_cisco_vsa_hack = yes
Fri Jul 24 12:25:18 2009 : Debug: with_alvarion_vsa_hack = no
Fri Jul 24 12:25:18 2009 : Debug: }
Fri Jul 24 12:25:18 2009 : Debug: (Loaded rlm_realm, checking if it's valid)
Fri Jul 24 12:25:18 2009 : Debug: Module: Linked to module rlm_realm
Fri Jul 24 12:25:18 2009 : Debug: Module: Instantiating ntdomain
Fri Jul 24 12:25:18 2009 : Debug: realm ntdomain {
Fri Jul 24 12:25:18 2009 : Debug: format = "prefix"
Fri Jul 24 12:25:18 2009 : Debug: delimiter = "\"
Fri Jul 24 12:25:18 2009 : Debug: ignore_default = no
Fri Jul 24 12:25:18 2009 : Debug: ignore_null = no
Fri Jul 24 12:25:18 2009 : Debug: }
Fri Jul 24 12:25:18 2009 : Debug: (Loaded rlm_attr_rewrite, checking if it's valid)
Fri Jul 24 12:25:18 2009 : Debug: Module: Linked to module rlm_attr_rewrite
Fri Jul 24 12:25:18 2009 : Debug: Module: Instantiating machine_UserName
Fri Jul 24 12:25:18 2009 : Debug: attr_rewrite machine_UserName {
Fri Jul 24 12:25:18 2009 : Debug: attribute = "User-Name"
Fri Jul 24 12:25:18 2009 : Debug: searchfor = "^host/(.*).energyeast.net"
Fri Jul 24 12:25:18 2009 : Debug: searchin = "packet"
Fri Jul 24 12:25:18 2009 : Debug: replacewith = "%{1}$"
Fri Jul 24 12:25:18 2009 : Debug: append = no
Fri Jul 24 12:25:18 2009 : Debug: ignore_case = yes
Fri Jul 24 12:25:18 2009 : Debug: new_attribute = no
Fri Jul 24 12:25:18 2009 : Debug: max_matches = 1
Fri Jul 24 12:25:18 2009 : Debug: }
Fri Jul 24 12:25:18 2009 : Debug: Module: Instantiating eap-comodo
Fri Jul 24 12:25:18 2009 : Debug: eap eap-comodo {
Fri Jul 24 12:25:18 2009 : Debug: default_eap_type = "peap"
Fri Jul 24 12:25:18 2009 : Debug: timer_expire = 60
Fri Jul 24 12:25:18 2009 : Debug: ignore_unknown_eap_types = no
Fri Jul 24 12:25:18 2009 : Debug: cisco_accounting_username_bug = no
Fri Jul 24 12:25:18 2009 : Debug: max_sessions = 2048
Fri Jul 24 12:25:18 2009 : Debug: }
Fri Jul 24 12:25:18 2009 : Debug: Module: Linked to sub-module rlm_eap_leap
Fri Jul 24 12:25:18 2009 : Debug: Module: Instantiating eap-leap
Fri Jul 24 12:25:18 2009 : Debug: Module: Linked to sub-module rlm_eap_tls
Fri Jul 24 12:25:18 2009 : Debug: Module: Instantiating eap-tls
Fri Jul 24 12:25:18 2009 : Debug: tls {
Fri Jul 24 12:25:18 2009 : Debug: rsa_key_exchange = no
Fri Jul 24 12:25:18 2009 : Debug: dh_key_exchange = yes
Fri Jul 24 12:25:18 2009 : Debug: rsa_key_length = 512
Fri Jul 24 12:25:18 2009 : Debug: dh_key_length = 512
Fri Jul 24 12:25:18 2009 : Debug: verify_depth = 0
Fri Jul 24 12:25:18 2009 : Debug: pem_file_type = yes
Fri Jul 24 12:25:18 2009 : Debug: private_key_file = "/usr/local/etc/raddb/certs/ra01-roch1-tst-internal.pem"
Fri Jul 24 12:25:18 2009 : Debug: certificate_file = "/usr/local/etc/raddb/certs/ra01-roch1-tst-internal.pem"
Fri Jul 24 12:25:18 2009 : Debug: private_key_password = "xxxxxxxx"
Fri Jul 24 12:25:18 2009 : Debug: dh_file = "/usr/local/etc/raddb/certs/dh"
Fri Jul 24 12:25:18 2009 : Debug: random_file = "/usr/local/etc/raddb/certs/random"
Fri Jul 24 12:25:18 2009 : Debug: fragment_size = 1024
Fri Jul 24 12:25:18 2009 : Debug: include_length = yes
Fri Jul 24 12:25:18 2009 : Debug: check_crl = no
Fri Jul 24 12:25:18 2009 : Debug: cipher_list = "DEFAULT"
Fri Jul 24 12:25:18 2009 : Debug: }
Fri Jul 24 12:25:18 2009 : Debug: Module: Linked to sub-module rlm_eap_peap
Fri Jul 24 12:25:18 2009 : Debug: Module: Instantiating eap-peap
Fri Jul 24 12:25:18 2009 : Debug: peap {
Fri Jul 24 12:25:18 2009 : Debug: default_eap_type = "mschapv2"
Fri Jul 24 12:25:18 2009 : Debug: copy_request_to_tunnel = yes
Fri Jul 24 12:25:18 2009 : Debug: use_tunneled_reply = no
Fri Jul 24 12:25:18 2009 : Debug: proxy_tunneled_request_as_eap = yes
Fri Jul 24 12:25:18 2009 : Debug: virtual_server = "inner-tunnel"
Fri Jul 24 12:25:18 2009 : Debug: }
Fri Jul 24 12:25:18 2009 : Debug: Module: Linked to sub-module rlm_eap_mschapv2
Fri Jul 24 12:25:18 2009 : Debug: Module: Instantiating eap-mschapv2
Fri Jul 24 12:25:18 2009 : Debug: mschapv2 {
Fri Jul 24 12:25:18 2009 : Debug: with_ntdomain_hack = no
Fri Jul 24 12:25:18 2009 : Debug: }
Fri Jul 24 12:25:18 2009 : Debug: Module: Checking post-proxy {...} for more modules to load
Fri Jul 24 12:25:18 2009 : Debug: Module: Checking post-auth {...} for more modules to load
Fri Jul 24 12:25:18 2009 : Debug: (Loaded rlm_attr_filter, checking if it's valid)
Fri Jul 24 12:25:18 2009 : Debug: Module: Linked to module rlm_attr_filter
Fri Jul 24 12:25:18 2009 : Debug: Module: Instantiating attr_filter.access_reject
Fri Jul 24 12:25:18 2009 : Debug: attr_filter attr_filter.access_reject {
Fri Jul 24 12:25:18 2009 : Debug: attrsfile = "/usr/local/etc/raddb/attrs.access_reject"
Fri Jul 24 12:25:18 2009 : Debug: key = "%{User-Name}"
Fri Jul 24 12:25:18 2009 : Debug: }
More information about the Freeradius-Users
mailing list