FR3 and EAP-TLS session cache
Jyri Palis
jyri.palis at gmail.com
Sun Jun 14 14:11:33 CEST 2015
Hi,
I have been trying to get FR (3.0.4) EAP-TLS session caching to work with ‘check-eap-tls’ virtual server, so far no luck.
Initial EAP-TLS session is established correctly and Windows 7 clients get access to protected WLAN but requests following initial request fail to utilise data stored TLS session cache data client is force to proceed with full TLS handshake.
Virtual server 'check-eap-tls’ which is configured to verify client certificates fails when cached TLS session calls this method, variables needed for verification are not propagated correctly.
server check-eap-tls {
authorize {
if ("%{TLS-Client-Cert-Subject-Alt-Name-Upn}" =~ /^([a-z0-9]|[\w\.-]?)+\@example\.com$/i) {
update config {
Auth-Type := Accept
}
}
elsif ("%{TLS-Client-Cert-Subject-Alt-Name-Dns}" =~ /^([a-z0-9]|[\w\-]?)+\.example\.com$/i) {
update config {
Auth-Type := Accept
}
}
else {
update config {
Auth-Type := Reject
}
}
}
This is a fragment from log file:
Sun Jun 14 14:56:11 2015 : Auth: (44) Login incorrect (eap: Failed continuing EAP TLS (13) session. EAP sub-module failed): [host/xxxxx.example.com/<via Auth-Type = EAP>] (from client wc-s1-01 port 2 cli 00-24-d7-03-2b-38)
Sun Jun 14 14:56:16 2015 : Error: Couldn't open /var/log/radius/tlscache/c0373a395b8cc8bc3bd2fe453c3f235454b5216a47c1cb66e30580cd697033f1.vps for reading: No such file or directory
Sun Jun 14 14:56:16 2015 : Auth: (52) Login OK: [host/xxxxx.example.com] (from client wc-s1-01 port 2 cli 00-24-d7-03-2b-38 via TLS tunnel)
Sun Jun 14 14:56:16 2015 : Auth: (52) Login OK: [host/xxxxx.example.com] (from client wc-s1-01 port 2 cli 00-24-d7-03-2b-38)
So is there a way to check session status in ‘authorize’ block and accept auth when cached TLS session is detected?
This is written to stdout when running in debug mode
(15) eap_tls : Length Included
(15) eap_tls : eaptls_verify returned 11
(15) eap_tls : (other): before/accept initialization
(15) eap_tls : TLS_accept: before/accept initialization
(15) eap_tls : <<< TLS 1.0 Handshake [length 007c], ClientHello
SSL: Client requested cached session f35d02540a8e9c4faf8620dfe25e4e82941192f8686390ec3591df41ba22f967
reading pairlist file /var/log/radius/tlscache/f35d02540a8e9c4faf8620dfe25e4e82941192f8686390ec3591df41ba22f967.vps
Couldn't open /var/log/radius/tlscache/f35d02540a8e9c4faf8620dfe25e4e82941192f8686390ec3591df41ba22f967.vps for reading: No such file or directory
SSL: could not load persisted VPs for session f35d02540a8e9c4faf8620dfe25e4e82941192f8686390ec3591df41ba22f967
(15) eap_tls : TLS_accept: SSLv3 read client hello A
(15) eap_tls : >>> TLS 1.0 Handshake [length 0059], ServerHello
(15) eap_tls : TLS_accept: SSLv3 write server hello A
(15) eap_tls : >>> TLS 1.0 Handshake [length 0c46], Certificate
(15) eap_tls : TLS_accept: SSLv3 write certificate A
(15) eap_tls : >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange
(15) eap_tls : TLS_accept: SSLv3 write key exchange A
(15) eap_tls : >>> TLS 1.0 Handshake [length 005b], CertificateRequest
(15) eap_tls : TLS_accept: SSLv3 write certificate request A
(15) eap_tls : TLS_accept: SSLv3 flush data
(15) eap_tls : TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
Regards,
Jyri.
More information about the Freeradius-Users
mailing list