TLS / SSL negotiation fails when behind Cisco IP phone
Dan Lundström
dan.lundstrom at axis.com
Sun Sep 9 17:52:57 CEST 2012
I have been looking at possible changes to make on the phone and call manager, but cannot find anything that would relate to the behavior we have. Is there a way to change MTU value on the phones, I can't find it.
We have the 7945 model on another site as well and there everything works, I have tried with a 7942 here as well and it does not work. I am quite sure that the problem is related to the internal switch in the phone, but since the EAP package gets through to the authenticating switch there should be a way to get it to work. I don't have any other phone models here to test with, and I can't find any information about hardware/switch differences in the 7962 and the 7954 phones.
Can anyone tell from the below sessions if the SSL negotiation fails because of fragmentation?
I just found this article;
https://supportforums.cisco.com/thread/163050
Seems like it might be a firmware issue, I will upgrade/downgrade and let you know the outcome.
/Dan
> -----Original Message-----
> From: freeradius-users-
> bounces+dan.lundstrom=axis.com at lists.freeradius.org [mailto:freeradius-
> users-bounces+dan.lundstrom=axis.com at lists.freeradius.org] On Behalf Of
> Danner, Mearl
> Sent: den 9 september 2012 16:37
> To: FreeRadius users mailing list
> Subject: RE: TLS / SSL negotiation fails when behind Cisco IP phone
>
> There is a switch in the Cisco phone. All my experience is with a 7945.
>
> There are some ethernet settings in the phone settings - under device
> configuration. They can be controlled locally and some are controlled in Cisco
> Call Manager.
>
> Might look there as a start.
>
> -----Original Message-----
> From: freeradius-users-
> bounces+jmdanner=samford.edu at lists.freeradius.org [mailto:freeradius-
> users-bounces+jmdanner=samford.edu at lists.freeradius.org] On Behalf Of
> Dan Lundström
> Sent: Sunday, September 09, 2012 9:02 AM
> To: freeradius-users at lists.freeradius.org
> Subject: TLS / SSL negotiation fails when behind Cisco IP phone
>
> Hi!
>
> We are using EAP/TLS for wired authentication on our networks, in one of
> our sites the SSL negotiation fails when the client is connected behind a Cisco
> 7962 IP phone. We have this same setup working on other sites.
> The phone model varies between the sites, but I cannot find any information
> about incompatibilities for the particular phone model saying it should be the
> phone that is causing the problem.
>
> I figured that the problem was caused by fragmentation but after adjusting
> the fragment_size parameter in eap.conf, according to the comments..;
>
> # This can never exceed the size of a RADIUS
> # packet (4096 bytes), and is preferably half
> # that, to accomodate other attributes in
> # RADIUS packet. On most APs the MAX packet
> # length is configured between 1500 - 1600
> # In these cases, fragment size should be
> # 1024 or less.
>
> ..without any result, i am not sure anymore.
>
> When I connect the client directly to a switch port, without the IP phone in-
> between, everything works perfect.
>
> Here comes the relevant part of RADIUS debug output, first session -
> Without IP phone, directly connected to the switch [ client -> switch ];
>
> ------------------------------------------------------------------------------
> Found Auth-Type = EAP
> # Executing group from file /etc/freeradius/sites-enabled/default
> +- entering group authenticate {...}
> [eap] Request found, released from the list [eap] EAP/tls [eap] processing
> type tls [tls] Authenticate [tls] processing EAP-TLS [tls] eaptls_verify returned
> 7 [tls] Done initial handshake [tls] <<< TLS 1.0 Handshake [length 0b2e],
> Certificate [tls] chain-depth=2, [tls] error=0 [tls] --> User-Name = host/US-
> LAPJAMIESON.us.xxxx.yyy [tls] --> BUF-Name = Xxxx Root CA [tls] -->
> subject = /C=SE/O=Xxxx Communications AB/OU=IT-group/CN=Xxxx Root
> CA [tls] --> issuer = /C=SE/O=Xxxx Communications AB/OU=IT-
> group/CN=Xxxx Root CA [tls] --> verify return:1 [tls] chain-depth=1, [tls]
> error=0 [tls] --> User-Name = host/US-LAPJAMIESON.us.xxxx.yyy [tls] -->
> BUF-Name = Xxxx Sub CA [tls] --> subject = /DC=com/DC=xxxx/CN=Xxxx Sub
> CA [tls] --> issuer = /C=SE/O=Xxxx Communications AB/OU=IT-
> group/CN=Xxxx Root CA [tls] --> verify return:1 [tls] chain-depth=0, [tls]
> error=0 [tls] --> User-Name = host/US-LAPJAMIESON.us.xxxx.yyy [tls] -->
> BUF-Name = US-LAPJAMIESON.us.xxxx.yyy [tls] --> subject = /CN=US-
> LAPJAMIESON.us.xxxx.yyy [tls] --> issuer = /DC=com/DC=xxxx/CN=Xxxx Sub
> CA [tls] --> verify return:1
> [tls] TLS_accept: SSLv3 read client certificate A
> [tls] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
> [tls] TLS_accept: SSLv3 read client key exchange A
> [tls] <<< TLS 1.0 Handshake [length 0106], CertificateVerify
> [tls] TLS_accept: SSLv3 read certificate verify A
> [tls] <<< TLS 1.0 ChangeCipherSpec [length 0001] [tls] <<< TLS 1.0 Handshake
> [length 0010], Finished
> [tls] TLS_accept: SSLv3 read finished A
> [tls] >>> TLS 1.0 ChangeCipherSpec [length 0001]
> [tls] TLS_accept: SSLv3 write change cipher spec A
> [tls] >>> TLS 1.0 Handshake [length 0010], Finished
> [tls] TLS_accept: SSLv3 write finished A
> [tls] TLS_accept: SSLv3 flush data
> [tls] (other): SSL negotiation finished successfully
> SSL Connection Established
> ------------------------------------------------------------------------------
> ------------------------------------------------------------------------------
>
> Second part - With IP phone in-between [ client -> ipphone -> switch ];
>
> ------------------------------------------------------------------------------
> Found Auth-Type = EAP
> # Executing group from file /etc/freeradius/sites-enabled/default
> +- entering group authenticate {...}
> [eap] Request found, released from the list [eap] EAP/tls [eap] processing
> type tls [tls] Authenticate [tls] processing EAP-TLS [tls] eaptls_verify returned
> 7 [tls] Done initial handshake [tls] <<< TLS 1.0 Handshake [length 0b2e],
> Certificate [tls] chain-depth=2, [tls] error=0 [tls] --> User-Name = host/US-
> LAPJAMIESON.us.xxxx.yyy [tls] --> BUF-Name = Xxxx Root CA [tls] -->
> subject = /C=SE/O=Xxxx Communications AB/OU=IT-group/CN=Xxxx Root
> CA [tls] --> issuer = /C=SE/O=Xxxx Communications AB/OU=IT-
> group/CN=Xxxx Root CA [tls] --> verify return:1 [tls] chain-depth=1, [tls]
> error=0 [tls] --> User-Name = host/US-LAPJAMIESON.us.xxxx.yyy [tls] -->
> BUF-Name = Xxxx Sub CA [tls] --> subject = /DC=com/DC=xxxx/CN=Xxxx Sub
> CA [tls] --> issuer = /C=SE/O=Xxxx Communications AB/OU=IT-
> group/CN=Xxxx Root CA [tls] --> verify return:1 --> verify
> error:num=7:certificate signature failure [tls] >>> TLS 1.0 Alert [length 0002],
> fatal decrypt_error TLS Alert write:fatal:decrypt error
> TLS_accept: error in SSLv3 read client certificate B
> rlm_eap: SSL error error:0407006A:rsa
> routines:RSA_padding_check_PKCS1_type_1:block type is not 01
> SSL: SSL_read failed inside of TLS (-1), TLS session fails.
> TLS receive handshake failed during operation [tls] eaptls_process returned 4
> [eap] Handler failed in EAP/tls [eap] Failed in EAP select
> ++[eap] returns invalid
> Failed to authenticate the user.
> Using Post-Auth-Type Reject
> # Executing group from file /etc/freeradius/sites-enabled/default
> +- entering group REJECT {...}
> [attr_filter.access_reject] expand: %{User-Name} ->
> host/US-LAPJAMIESON.us.xxxx.yyy
> attr_filter: Matched entry DEFAULT at line 11
> ++[attr_filter.access_reject] returns updated
> Delaying reject of request 11 for 1 seconds Going to the next request Waking
> up in 0.9 seconds.
> Sending delayed reject for request 11
> Sending Access-Reject of id 50 to 192.168.207.202 port 1812 EAP-Message =
> 0x040c0004 Message-Authenticator = 0x00000000000000000000000000000000
> ------------------------------------------------------------------------------
> ------------------------------------------------------------------------------
>
> I am stuck, any suggestions would be much appreciated.
>
> Brgds,
> //Dan
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list