TLS / SSL negotiation fails when behind Cisco IP phone

Danner, Mearl jmdanner at samford.edu
Sun Sep 9 16:36:41 CEST 2012


There is a switch in the Cisco phone. All my experience is with a 7945.

There are some ethernet settings in the phone settings - under device configuration. They can be controlled locally and some are controlled in Cisco Call Manager.

Might look there as a start.

-----Original Message-----
From: freeradius-users-bounces+jmdanner=samford.edu at lists.freeradius.org [mailto:freeradius-users-bounces+jmdanner=samford.edu at lists.freeradius.org] On Behalf Of Dan Lundström
Sent: Sunday, September 09, 2012 9:02 AM
To: freeradius-users at lists.freeradius.org
Subject: TLS / SSL negotiation fails when behind Cisco IP phone

Hi!

We are using EAP/TLS for wired authentication on our networks, in one of our sites the SSL negotiation fails when the client is connected behind a Cisco 7962 IP phone. We have this same setup working on other sites. 
The phone model varies between the sites, but I cannot find any information about incompatibilities for the particular phone model saying it should be the phone that is causing the problem.

I figured that the problem was caused by fragmentation but after adjusting the fragment_size parameter in eap.conf, according to the comments..;

#  This can never exceed the size of a RADIUS
                        #  packet (4096 bytes), and is preferably half
                        #  that, to accomodate other attributes in
                        #  RADIUS packet.  On most APs the MAX packet
                        #  length is configured between 1500 - 1600
                        #  In these cases, fragment size should be
                        #  1024 or less.

..without any result, i am not sure anymore.

When I connect the client directly to a switch port, without the IP phone in-between, everything works perfect.

Here comes the relevant part of RADIUS debug output, first session - Without IP phone, directly connected to the switch [ client -> switch ];

------------------------------------------------------------------------------
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] eaptls_verify returned 7
[tls] Done initial handshake
[tls] <<< TLS 1.0 Handshake [length 0b2e], Certificate
[tls] chain-depth=2,
[tls] error=0
[tls] --> User-Name = host/US-LAPJAMIESON.us.xxxx.yyy
[tls] --> BUF-Name = Xxxx Root CA
[tls] --> subject = /C=SE/O=Xxxx Communications AB/OU=IT-group/CN=Xxxx Root CA
[tls] --> issuer  = /C=SE/O=Xxxx Communications AB/OU=IT-group/CN=Xxxx Root CA
[tls] --> verify return:1
[tls] chain-depth=1,
[tls] error=0
[tls] --> User-Name = host/US-LAPJAMIESON.us.xxxx.yyy
[tls] --> BUF-Name = Xxxx Sub CA
[tls] --> subject = /DC=com/DC=xxxx/CN=Xxxx Sub CA
[tls] --> issuer  = /C=SE/O=Xxxx Communications AB/OU=IT-group/CN=Xxxx Root CA
[tls] --> verify return:1
[tls] chain-depth=0,
[tls] error=0
[tls] --> User-Name = host/US-LAPJAMIESON.us.xxxx.yyy
[tls] --> BUF-Name = US-LAPJAMIESON.us.xxxx.yyy
[tls] --> subject = /CN=US-LAPJAMIESON.us.xxxx.yyy
[tls] --> issuer  = /DC=com/DC=xxxx/CN=Xxxx Sub CA
[tls] --> verify return:1
[tls]     TLS_accept: SSLv3 read client certificate A
[tls] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
[tls]     TLS_accept: SSLv3 read client key exchange A
[tls] <<< TLS 1.0 Handshake [length 0106], CertificateVerify
[tls]     TLS_accept: SSLv3 read certificate verify A
[tls] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[tls] <<< TLS 1.0 Handshake [length 0010], Finished
[tls]     TLS_accept: SSLv3 read finished A
[tls] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[tls]     TLS_accept: SSLv3 write change cipher spec A
[tls] >>> TLS 1.0 Handshake [length 0010], Finished
[tls]     TLS_accept: SSLv3 write finished A
[tls]     TLS_accept: SSLv3 flush data
[tls]     (other): SSL negotiation finished successfully
SSL Connection Established
------------------------------------------------------------------------------
------------------------------------------------------------------------------

Second part - With IP phone in-between [ client -> ipphone -> switch ];

------------------------------------------------------------------------------
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] eaptls_verify returned 7
[tls] Done initial handshake
[tls] <<< TLS 1.0 Handshake [length 0b2e], Certificate
[tls] chain-depth=2,
[tls] error=0
[tls] --> User-Name = host/US-LAPJAMIESON.us.xxxx.yyy
[tls] --> BUF-Name = Xxxx Root CA
[tls] --> subject = /C=SE/O=Xxxx Communications AB/OU=IT-group/CN=Xxxx Root CA
[tls] --> issuer  = /C=SE/O=Xxxx Communications AB/OU=IT-group/CN=Xxxx Root CA
[tls] --> verify return:1
[tls] chain-depth=1,
[tls] error=0
[tls] --> User-Name = host/US-LAPJAMIESON.us.xxxx.yyy
[tls] --> BUF-Name = Xxxx Sub CA
[tls] --> subject = /DC=com/DC=xxxx/CN=Xxxx Sub CA
[tls] --> issuer  = /C=SE/O=Xxxx Communications AB/OU=IT-group/CN=Xxxx Root CA
[tls] --> verify return:1 --> verify error:num=7:certificate signature failure
[tls] >>> TLS 1.0 Alert [length 0002], fatal decrypt_error
TLS Alert write:fatal:decrypt error
TLS_accept: error in SSLv3 read client certificate B
rlm_eap: SSL error error:0407006A:rsa
routines:RSA_padding_check_PKCS1_type_1:block type is not 01
SSL: SSL_read failed inside of TLS (-1), TLS session fails.
TLS receive handshake failed during operation
[tls] eaptls_process returned 4
[eap] Handler failed in EAP/tls
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] 	expand: %{User-Name} ->
host/US-LAPJAMIESON.us.xxxx.yyy
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 11 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 11
Sending Access-Reject of id 50 to 192.168.207.202 port 1812
EAP-Message = 0x040c0004
Message-Authenticator = 0x00000000000000000000000000000000
------------------------------------------------------------------------------
------------------------------------------------------------------------------

I am stuck, any suggestions would be much appreciated.

Brgds,
//Dan

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


More information about the Freeradius-Users mailing list