EAP/TLS authentication in 2050

Victor Guk v.guk at zaz.zp.ua
Mon Dec 5 09:25:41 CET 2011 

Hello

I have SLES 11 SP1(64bit), freeradius 2.1.12 and openssl 0.9.8r.
I set up authentication with EAP/TLS.
Server and client certificates are valid until 3011 year. Here they are:

Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Dec 5 07:05:02 2011 GMT
Not After : Apr 7 07:05:02 3011 GMT
Subject:
countryName = AU
stateOrProvinceName = Some-State
organizationName = Internet Widgits Pty Ltd
commonName = Root
X509v3 extensions:
X509v3 Extended Key Usage:
TLS Web Server Authentication
Certificate is to be certified until Apr 7 07:05:02 3011 GMT (365000 days)

Certificate Details:
Serial Number: 2 (0x2)
Validity
Not Before: Dec 5 07:06:57 2011 GMT
Not After : Apr 7 07:06:57 3011 GMT
Subject:
countryName = AU
stateOrProvinceName = Some-State
organizationName = Internet Widgits Pty Ltd
commonName = testuser
X509v3 extensions:
X509v3 Extended Key Usage:
TLS Web Client Authentication
Certificate is to be certified until Apr 7 07:06:57 3011 GMT (365000 days)

Now client like authentication is successful. About this show freeradius:

Login OK: [host/testuser] (from client private-network port 33566721 cli 
0022-15ef-ab87)
# Executing section post-auth from file /etc/raddb/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 67 to 10.2.2.240 port 5002
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "3"
MS-MPPE-Recv-Key = 
0xca7449798f0f957fe8e03542d1b9a5ef6291756644f4e392a60f078a3c858cba
MS-MPPE-Send-Key = 
0xcfffb577e162ba2111b253f1f969e46e39521626f4669704e367502640f368a7
EAP-Message = 0x03050004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "host/testuser"
Finished request 3.

After that, I wanted to check as to be the case in 2050, as we recall 
certificates are valid until 3011. Set the time on the server freeradius 
August 1, 2050 (01/08/2050) and the same thing on a client running on 
Windows XP SP3. Authentication fails (slightly below records cite the 
radius).

I have a question for all who can help, this is the mistake of 
freeradius, which can not correctly identify the validity of the 
certificate. Or somewhere I made ​​a mistake when setting up. Maybe this 
one is already experienced. I'll be glad for your help.

test#radiusd -X
..................
rad_recv: Access-Request packet from host 10.2.2.240 port 5002, id=68, 
length=221
User-Name = "host/testuser"
EAP-Message = 0x0202001201686f73742f7465737475736572
Message-Authenticator = 0xe394bda2df7b6ff808bd0079cb5620cd
NAS-IP-Address = 10.2.2.240
NAS-Identifier = "001ac1d4d442"
NAS-Port = 33566721
NAS-Port-Id = "unit=2;subslot=0;port=3;vlanid=1"
NAS-Port-Type = Ethernet
Service-Type = Framed-User
Framed-Protocol = PPP
Calling-Station-Id = "0022-15ef-ab87"
H3C-Connect_Id = 18
H3C-Product-ID = "5500-EI"
H3C-Ip-Host-Addr = "0.0.0.0 00:22:15:ef:ab:87"
H3C-NAS-Startup-Timestamp = 954640520
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "host/testuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 18
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry DEFAULT at line 152
[files] users: Matched entry host/testuser at line 234
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. 
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Requiring client certificate
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 68 to 10.2.2.240 port 5002
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "3"
EAP-Message = 0x010300060d20
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x905a520890595f1e7244e69c58c3b630
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.2.2.240 port 5002, id=69, 
length=301
User-Name = "host/testuser"
EAP-Message = 
0x020300500d800000004616030100410100003d030198387b2b15bc66925793a2b08aec38827730edb90a98238b1f8967ad5b0e5a3000001600040005000a000900640062000300060013001200630100
Message-Authenticator = 0x57f352efbff4566bed7422e481a95c1e
NAS-IP-Address = 10.2.2.240
NAS-Identifier = "001ac1d4d442"
NAS-Port = 33566721
NAS-Port-Id = "unit=2;subslot=0;port=3;vlanid=1"
NAS-Port-Type = Ethernet
Service-Type = Framed-User
Framed-Protocol = PPP
Calling-Station-Id = "0022-15ef-ab87"
State = 0x905a520890595f1e7244e69c58c3b630
H3C-Connect_Id = 18
H3C-Product-ID = "5500-EI"
H3C-Ip-Host-Addr = "0.0.0.0 00:22:15:ef:ab:87"
H3C-NAS-Startup-Timestamp = 954640520
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "host/testuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 3 length 80
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry DEFAULT at line 152
[files] users: Matched entry host/testuser at line 234
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
TLS Length 70
[tls] Length Included
[tls] eaptls_verify returned 11
[tls] (other): before/accept initialization
[tls] TLS_accept: before/accept initialization
[tls] <<< TLS 1.0 Handshake [length 0041], ClientHello
[tls] TLS_accept: SSLv3 read client hello A
[tls] >>> TLS 1.0 Handshake [length 002a], ServerHello
[tls] TLS_accept: SSLv3 write server hello A
[tls] >>> TLS 1.0 Handshake [length 0245], Certificate
[tls] TLS_accept: SSLv3 write certificate A
[tls] >>> TLS 1.0 Handshake [length 0066], CertificateRequest
[tls] TLS_accept: SSLv3 write certificate request A
[tls] TLS_accept: SSLv3 flush data
[tls] TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[tls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 69 to 10.2.2.240 port 5002
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "3"
EAP-Message = 
0x010402ee0d80000002e4160301002a02000026030198387b5ccef9ea8b00a2b87027963d9f59eccbf3df96bfb208b4fb2072f06cd10000040016030102450b00024100023e00023b30820237308201a0a003020102020101300d06092a864886f70d01010505003054310b3009060355040613024155311330110603550408130a536f6d652d53746174653121301f060355040a1318496e7465726e6574205769646769747320507479204c7464310d300b06035504031304526f6f743020170d3131313230353037303530325a180f33303131303430373037303530325a3054310b3009060355040613024155311330110603550408130a536f6d65
EAP-Message = 
0x2d53746174653121301f060355040a1318496e7465726e6574205769646769747320507479204c7464310d300b06035504031304526f6f7430819f300d06092a864886f70d010101050003818d0030818902818100e3bd7f6d0226d923d61f85542cd081e2a78a647855b252a3796b624daf45cc8e7d2ce664942d507fdd60bb8bfcf4b439122a7cf5607957e25439b3df92a56bbab3f6ead61042869e1beee05acfc3a5b338e5cc847ce2e4c09d3b8122569bbdbb93939502bbd9c7fc8efe1af165aaca423562729433f8c94466df2742c6dcc56d0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d
EAP-Message = 
0x010105050003818100ae145995a7db51de5488b35bb51c8cd9cb38be974572fb10989e2bfd5e8d2bcb1fac78a393e2b1afcb23a7436194078d4c246ae4c2f2823a2cfb586dbb1ba181887761f3eb2e4ee93fda19ed3b461af1f1dd49040462f574913234446b52d926f9680dca83626fc6deb048ce1d8cd1ef09b6cf42464bfc2dda2534ded1aec5ae16030100660d00005e03010240005800563054310b3009060355040613024155311330110603550408130a536f6d652d53746174653121301f060355040a1318496e7465726e6574205769646769747320507479204c7464310d300b06035504031304526f6f740e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x905a5208915e5f1e7244e69c58c3b630
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.2.2.240 port 5002, id=70, 
length=1138
User-Name = "host/testuser"
EAP-Message = 
0x0204038f0d800000038516030103550b00024500024200023f3082023b308201a4a003020102020102300d06092a864886f70d01010505003054310b3009060355040613024155311330110603550408130a536f6d652d53746174653121301f060355040a1318496e7465726e6574205769646769747320507479204c7464310d300b06035504031304526f6f743020170d3131313230353037303635375a180f33303131303430373037303635375a3058310b3009060355040613024155311330110603550408130a536f6d652d53746174653121301f060355040a1318496e7465726e6574205769646769747320507479204c74643111300f0603
EAP-Message = 
0x5504031308746573747573657230819f300d06092a864886f70d010101050003818d0030818902818100e4991040e15c9024ae083463fd6e2d09f46ca74e3cbeadd978f2e41ddb724e19ad31a9992e8da760d4892efaf9aeeff0c3331935020138485f7d48e625c4e57e55de639f131144c4e57fa7392f963ac719cf79d8dec0aa13254a8593022cb0004e58377ac8e2deaeb543b412a4ec96f955a30efab73e08cb7a825c9a6ec871af0203010001a317301530130603551d25040c300a06082b06010505070302300d06092a864886f70d01010505000381810057827d8957a1782f450852803827b2e739cf5d7f85aac9a851467b4f8f2e2925c80d
EAP-Message = 
0xe075839d54a9b794e8a57a46750d932ae08a9c5b459d612dbd3153917da9f59dd493035382d696b1ecdcf1d867b55bdead570bd2417bd73c9c25b97d059c0579010da85edea51153830e4f4ce739ad361840198a7fefb1a68f328760ae561000008200807e2f5d813d13b4d0b4a37a400aa4047bd80f48b2239421304e8e87ddd9f1e8346ce680c7d965d83b6b11dcd1d6630ef0558f98c7323fe944aa024b8a51bd3ee5d376abb52df677e950eac9264435d027cc10e852107936a47fa622da0dfd575fcc48d095a931b544e6a9807dbfea859060cf28aa77eee6b66f20f94b9f183b620f00008200801f56d252999ca4dace4dd3653ab3ba1d2b232a
EAP-Message = 
0x126b781576b298652220ea7135e389b908c5e792fc316c3932836c317527278ba5682d5f22b86671f4bec52015f513402f6dfe9c371dbc245b8a563c87b1a3ea5589ecd20814e4e8aeee29c6832ebad011afc6040b85e4e2ec2b2ece9acdefa78e9f3c533f9ad13f104a7d5fa81403010001011603010020484dad944f3d7e14256da2f4be5641b0e3e094b3bbd20f973f13f4c081a6fddb
Message-Authenticator = 0xc43e468dd06dc0a9bc0a93893dbd14a5
NAS-IP-Address = 10.2.2.240
NAS-Identifier = "001ac1d4d442"
NAS-Port = 33566721
NAS-Port-Id = "unit=2;subslot=0;port=3;vlanid=1"
NAS-Port-Type = Ethernet
Service-Type = Framed-User
Framed-Protocol = PPP
Calling-Station-Id = "0022-15ef-ab87"
State = 0x905a5208915e5f1e7244e69c58c3b630
H3C-Connect_Id = 18
H3C-Product-ID = "5500-EI"
H3C-Ip-Host-Addr = "0.0.0.0 00:22:15:ef:ab:87"
H3C-NAS-Startup-Timestamp = 954640520
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "host/testuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 4 length 253
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry DEFAULT at line 152
[files] users: Matched entry host/testuser at line 234
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
TLS Length 901
[tls] Length Included
[tls] eaptls_verify returned 11
[tls] <<< TLS 1.0 Handshake [length 0249], Certificate
--> verify error:num=9:certificate is not yet valid
[tls] >>> TLS 1.0 Alert [length 0002], fatal bad_certificate
TLS Alert write:fatal:bad certificate
TLS_accept: error in SSLv3 read client certificate B
rlm_eap: SSL error error:140890B2:SSL 
routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
SSL: SSL_read failed in a system call (-1), TLS session fails.
TLS receive handshake failed during operation
[tls] eaptls_process returned 4
[eap] Handler failed in EAP/tls
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Login incorrect (certificate is not yet valid): [host/testuser] (from 
client private-network port 33566721 cli 0022-15ef-ab87)
Using Post-Auth-Type Reject
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> host/testuser
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 2 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 2
Sending Access-Reject of id 70 to 10.2.2.240 port 5002
EAP-Message = 0x04040004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.
Cleaning up request 0 ID 68 with timestamp +11
Cleaning up request 1 ID 69 with timestamp +11
Waking up in 1.0 seconds.
Cleaning up request 2 ID 70 with timestamp +11
Ready to process requests.

More information about the Freeradius-Users mailing list