Alternate server certificate

Garber, Neal Neal.Garber at energyeast.com
Fri Jul 24 19:35:21 CEST 2009


>> - Have two instances of the EAP module (one for 
>> internal SSIDs and one for guest) and select 
>> which one to use with some unlang code (based upon 
>> the value of 1 request attribute)
>
>That should work.

I'm having trouble getting this to work.  I added 
the following to my authorize section:

       # Extract SSID into SSID-Name attribute
       if (Cisco-AVPair =~ /ssid=(.*)/) {
          update request {
               SSID-Name = "%{1}"
          }
       }
       # Select appropriate EAP instance
       if (SSID-Name) {
          if (SSID-Name == "XX-Barcode") {
              eap-internal
          }
          elsif (SSID-Name == "EE-Barcode") {
              eap-internal
           }
          else {
             eap-comodo
          }
       }
       else {
          eap-comodo
       }

I have two instances in modules/eap that are identical
except for the certificate_file and key_file.  When I
try to connect, I see the following in the debug output
(I can provide more if needed, but I think this will
Illustrate what's happening).  I then tried using the 
same certificate & key file and still received the same
error:

Fri Jul 24 12:25:27 2009 : Info: ++? if (SSID-Name)
Fri Jul 24 12:25:27 2009 : Info: ? Evaluating (SSID-Name) -> FALSE
Fri Jul 24 12:25:27 2009 : Info: ++? if (SSID-Name) -> FALSE
Fri Jul 24 12:25:27 2009 : Info: ++- entering else else {...}
Fri Jul 24 12:25:27 2009 : Info: [eap-comodo] EAP packet type response id 2 length 18
Fri Jul 24 12:25:27 2009 : Info: [eap-comodo] No EAP Start, assuming it's an on-going EAP conversation
Fri Jul 24 12:25:27 2009 : Info: +++[eap-comodo] returns fail
Fri Jul 24 12:25:27 2009 : Info: ++- else else returns fail
Fri Jul 24 12:25:27 2009 : Auth: Invalid user: [BGAS\\xxxxxxxx] (from client abcd1-ab-wc01 port 1 cli 00-16-6F-16-F5-64)
Fri Jul 24 12:25:27 2009 : Info: Using Post-Auth-Type Reject
Fri Jul 24 12:25:27 2009 : Info: +- entering group REJECT {...}

So, what causes the eap module to return "fail".  There are no
other messages indicating why it is failing (that I see).  Here's
output at startup showing that both were instantiated:

Fri Jul 24 12:25:18 2009 : Debug:  Module: Instantiating eap-internal
Fri Jul 24 12:25:18 2009 : Debug:   eap eap-internal {
Fri Jul 24 12:25:18 2009 : Debug:       default_eap_type = "peap"
Fri Jul 24 12:25:18 2009 : Debug:       timer_expire = 60
Fri Jul 24 12:25:18 2009 : Debug:       ignore_unknown_eap_types = no
Fri Jul 24 12:25:18 2009 : Debug:       cisco_accounting_username_bug = no
Fri Jul 24 12:25:18 2009 : Debug:       max_sessions = 2048
Fri Jul 24 12:25:18 2009 : Debug:   }
Fri Jul 24 12:25:18 2009 : Debug:  Module: Linked to sub-module rlm_eap_leap
Fri Jul 24 12:25:18 2009 : Debug:  Module: Instantiating eap-leap
Fri Jul 24 12:25:18 2009 : Debug:  Module: Linked to sub-module rlm_eap_tls
Fri Jul 24 12:25:18 2009 : Debug:  Module: Instantiating eap-tls
Fri Jul 24 12:25:18 2009 : Debug:    tls {
Fri Jul 24 12:25:18 2009 : Debug:       rsa_key_exchange = no
Fri Jul 24 12:25:18 2009 : Debug:       dh_key_exchange = yes
Fri Jul 24 12:25:18 2009 : Debug:       rsa_key_length = 512
Fri Jul 24 12:25:18 2009 : Debug:       dh_key_length = 512
Fri Jul 24 12:25:18 2009 : Debug:       verify_depth = 0
Fri Jul 24 12:25:18 2009 : Debug:       pem_file_type = yes
Fri Jul 24 12:25:18 2009 : Debug:       private_key_file = "/usr/local/etc/raddb/certs/ra01-roch1-tst-internal.pem"
Fri Jul 24 12:25:18 2009 : Debug:       certificate_file = "/usr/local/etc/raddb/certs/ra01-roch1-tst-internal.pem"
Fri Jul 24 12:25:18 2009 : Debug:       private_key_password = "xxxxxxxx"
Fri Jul 24 12:25:18 2009 : Debug:       dh_file = "/usr/local/etc/raddb/certs/dh"
Fri Jul 24 12:25:18 2009 : Debug:       random_file = "/usr/local/etc/raddb/certs/random"
Fri Jul 24 12:25:18 2009 : Debug:       fragment_size = 1024
Fri Jul 24 12:25:18 2009 : Debug:       include_length = yes
Fri Jul 24 12:25:18 2009 : Debug:       check_crl = no
Fri Jul 24 12:25:18 2009 : Debug:       cipher_list = "DEFAULT"
Fri Jul 24 12:25:18 2009 : Debug:    }
Fri Jul 24 12:25:18 2009 : Debug:  Module: Linked to sub-module rlm_eap_peap
Fri Jul 24 12:25:18 2009 : Debug:  Module: Instantiating eap-peap
Fri Jul 24 12:25:18 2009 : Debug:    peap {
Fri Jul 24 12:25:18 2009 : Debug:       default_eap_type = "mschapv2"
Fri Jul 24 12:25:18 2009 : Debug:       copy_request_to_tunnel = yes
Fri Jul 24 12:25:18 2009 : Debug:       use_tunneled_reply = no
Fri Jul 24 12:25:18 2009 : Debug:       proxy_tunneled_request_as_eap = yes
Fri Jul 24 12:25:18 2009 : Debug:       virtual_server = "inner-tunnel"
Fri Jul 24 12:25:18 2009 : Debug:    }
Fri Jul 24 12:25:18 2009 : Debug:  Module: Linked to sub-module rlm_eap_mschapv2
Fri Jul 24 12:25:18 2009 : Debug:  Module: Instantiating eap-mschapv2
Fri Jul 24 12:25:18 2009 : Debug:    mschapv2 {
Fri Jul 24 12:25:18 2009 : Debug:       with_ntdomain_hack = no
Fri Jul 24 12:25:18 2009 : Debug:    }
Fri Jul 24 12:25:18 2009 : Debug:  Module: Checking authorize {...} for more modules to load
Fri Jul 24 12:25:18 2009 : Debug:     (Loaded rlm_preprocess, checking if it's valid)
Fri Jul 24 12:25:18 2009 : Debug:  Module: Linked to module rlm_preprocess
Fri Jul 24 12:25:18 2009 : Debug:  Module: Instantiating preprocess
Fri Jul 24 12:25:18 2009 : Debug:   preprocess {
Fri Jul 24 12:25:18 2009 : Debug:       huntgroups = "/usr/local/etc/raddb/huntgroups"
Fri Jul 24 12:25:18 2009 : Debug:       hints = "/usr/local/etc/raddb/hints"
Fri Jul 24 12:25:18 2009 : Debug:       with_ascend_hack = no
Fri Jul 24 12:25:18 2009 : Debug:       ascend_channels_per_line = 23
Fri Jul 24 12:25:18 2009 : Debug:       with_ntdomain_hack = no
Fri Jul 24 12:25:18 2009 : Debug:       with_specialix_jetstream_hack = no
Fri Jul 24 12:25:18 2009 : Debug:       with_cisco_vsa_hack = yes
Fri Jul 24 12:25:18 2009 : Debug:       with_alvarion_vsa_hack = no
Fri Jul 24 12:25:18 2009 : Debug:   }
Fri Jul 24 12:25:18 2009 : Debug:     (Loaded rlm_realm, checking if it's valid)
Fri Jul 24 12:25:18 2009 : Debug:  Module: Linked to module rlm_realm
Fri Jul 24 12:25:18 2009 : Debug:  Module: Instantiating ntdomain
Fri Jul 24 12:25:18 2009 : Debug:   realm ntdomain {
Fri Jul 24 12:25:18 2009 : Debug:       format = "prefix"
Fri Jul 24 12:25:18 2009 : Debug:       delimiter = "\"
Fri Jul 24 12:25:18 2009 : Debug:       ignore_default = no
Fri Jul 24 12:25:18 2009 : Debug:       ignore_null = no
Fri Jul 24 12:25:18 2009 : Debug:   }
Fri Jul 24 12:25:18 2009 : Debug:     (Loaded rlm_attr_rewrite, checking if it's valid)
Fri Jul 24 12:25:18 2009 : Debug:  Module: Linked to module rlm_attr_rewrite
Fri Jul 24 12:25:18 2009 : Debug:  Module: Instantiating machine_UserName
Fri Jul 24 12:25:18 2009 : Debug:   attr_rewrite machine_UserName {
Fri Jul 24 12:25:18 2009 : Debug:       attribute = "User-Name"
Fri Jul 24 12:25:18 2009 : Debug:       searchfor = "^host/(.*).energyeast.net"
Fri Jul 24 12:25:18 2009 : Debug:       searchin = "packet"
Fri Jul 24 12:25:18 2009 : Debug:       replacewith = "%{1}$"
Fri Jul 24 12:25:18 2009 : Debug:       append = no
Fri Jul 24 12:25:18 2009 : Debug:       ignore_case = yes
Fri Jul 24 12:25:18 2009 : Debug:       new_attribute = no
Fri Jul 24 12:25:18 2009 : Debug:       max_matches = 1
Fri Jul 24 12:25:18 2009 : Debug:   }
Fri Jul 24 12:25:18 2009 : Debug:  Module: Instantiating eap-comodo
Fri Jul 24 12:25:18 2009 : Debug:   eap eap-comodo {
Fri Jul 24 12:25:18 2009 : Debug:       default_eap_type = "peap"
Fri Jul 24 12:25:18 2009 : Debug:       timer_expire = 60
Fri Jul 24 12:25:18 2009 : Debug:       ignore_unknown_eap_types = no
Fri Jul 24 12:25:18 2009 : Debug:       cisco_accounting_username_bug = no
Fri Jul 24 12:25:18 2009 : Debug:       max_sessions = 2048
Fri Jul 24 12:25:18 2009 : Debug:   }
Fri Jul 24 12:25:18 2009 : Debug:  Module: Linked to sub-module rlm_eap_leap
Fri Jul 24 12:25:18 2009 : Debug:  Module: Instantiating eap-leap
Fri Jul 24 12:25:18 2009 : Debug:  Module: Linked to sub-module rlm_eap_tls
Fri Jul 24 12:25:18 2009 : Debug:  Module: Instantiating eap-tls
Fri Jul 24 12:25:18 2009 : Debug:    tls {
Fri Jul 24 12:25:18 2009 : Debug:       rsa_key_exchange = no
Fri Jul 24 12:25:18 2009 : Debug:       dh_key_exchange = yes
Fri Jul 24 12:25:18 2009 : Debug:       rsa_key_length = 512
Fri Jul 24 12:25:18 2009 : Debug:       dh_key_length = 512
Fri Jul 24 12:25:18 2009 : Debug:       verify_depth = 0
Fri Jul 24 12:25:18 2009 : Debug:       pem_file_type = yes
Fri Jul 24 12:25:18 2009 : Debug:       private_key_file = "/usr/local/etc/raddb/certs/ra01-roch1-tst-internal.pem"
Fri Jul 24 12:25:18 2009 : Debug:       certificate_file = "/usr/local/etc/raddb/certs/ra01-roch1-tst-internal.pem"
Fri Jul 24 12:25:18 2009 : Debug:       private_key_password = "xxxxxxxx"
Fri Jul 24 12:25:18 2009 : Debug:       dh_file = "/usr/local/etc/raddb/certs/dh"
Fri Jul 24 12:25:18 2009 : Debug:       random_file = "/usr/local/etc/raddb/certs/random"
Fri Jul 24 12:25:18 2009 : Debug:       fragment_size = 1024
Fri Jul 24 12:25:18 2009 : Debug:       include_length = yes
Fri Jul 24 12:25:18 2009 : Debug:       check_crl = no
Fri Jul 24 12:25:18 2009 : Debug:       cipher_list = "DEFAULT"
Fri Jul 24 12:25:18 2009 : Debug:    }
Fri Jul 24 12:25:18 2009 : Debug:  Module: Linked to sub-module rlm_eap_peap
Fri Jul 24 12:25:18 2009 : Debug:  Module: Instantiating eap-peap
Fri Jul 24 12:25:18 2009 : Debug:    peap {
Fri Jul 24 12:25:18 2009 : Debug:       default_eap_type = "mschapv2"
Fri Jul 24 12:25:18 2009 : Debug:       copy_request_to_tunnel = yes
Fri Jul 24 12:25:18 2009 : Debug:       use_tunneled_reply = no
Fri Jul 24 12:25:18 2009 : Debug:       proxy_tunneled_request_as_eap = yes
Fri Jul 24 12:25:18 2009 : Debug:       virtual_server = "inner-tunnel"
Fri Jul 24 12:25:18 2009 : Debug:    }
Fri Jul 24 12:25:18 2009 : Debug:  Module: Linked to sub-module rlm_eap_mschapv2
Fri Jul 24 12:25:18 2009 : Debug:  Module: Instantiating eap-mschapv2
Fri Jul 24 12:25:18 2009 : Debug:    mschapv2 {
Fri Jul 24 12:25:18 2009 : Debug:       with_ntdomain_hack = no
Fri Jul 24 12:25:18 2009 : Debug:    }
Fri Jul 24 12:25:18 2009 : Debug:  Module: Checking post-proxy {...} for more modules to load
Fri Jul 24 12:25:18 2009 : Debug:  Module: Checking post-auth {...} for more modules to load
Fri Jul 24 12:25:18 2009 : Debug:     (Loaded rlm_attr_filter, checking if it's valid)
Fri Jul 24 12:25:18 2009 : Debug:  Module: Linked to module rlm_attr_filter
Fri Jul 24 12:25:18 2009 : Debug:  Module: Instantiating attr_filter.access_reject
Fri Jul 24 12:25:18 2009 : Debug:   attr_filter attr_filter.access_reject {
Fri Jul 24 12:25:18 2009 : Debug:       attrsfile = "/usr/local/etc/raddb/attrs.access_reject"
Fri Jul 24 12:25:18 2009 : Debug:       key = "%{User-Name}"
Fri Jul 24 12:25:18 2009 : Debug:   }





More information about the Freeradius-Users mailing list