FR3 and EAP-TLS session cache

Mon Jun 15 08:35:08 CEST 2015

Hi,

>  You can do in-memory caching.  I suggest trying that first.  It works in all of my tests.
> 
>  As a second step, enable on-disk caching.

Does not matter if I use in-memory or persistent on-disk caching, result is always the same, first run succeeds and second one fails, cache is invalidated and full TLS handshake is performed again.

> 
>> Virtual server 'check-eap-tls’ which is configured to verify client certificates fails when cached TLS session calls this method, variables needed for verification are not propagated correctly.
> 
>  What does that mean?

When TLS implementation detects request to use cached session data, variables like %{TLS-Client-*} are not propagated and code in check-eap-tls virtual server fails because variables needed for client certificate validation do not contain any data.

> 
>> server check-eap-tls {
>>   authorize {
>> 
>>       if ("%{TLS-Client-Cert-Subject-Alt-Name-Upn}" =~ /^([a-z0-9]|[\w\.-]?)+\@example\.com$/i) {
>>           update config {
>>               Auth-Type := Accept
> 
>  This is in the inner tunnel, right?  

This is defined in eap configuration's tls section. 

> 
>> This is a fragment from log file:
> 
>  Why?  We recommend reading the *debug* output.

To demonstrate my issue more clearly I have attached three files to this message, configuration, first run and second run. Output is generated by running freeradius -Xxx

> 
>> Sun Jun 14 14:56:11 2015 : Auth: (44) Login incorrect (eap: Failed continuing EAP TLS (13) session. EAP sub-module failed): [host/xxxxx.example.com/<via Auth-Type = EAP>] (from client wc-s1-01 port 2 cli 00-24-d7-03-2b-38)
>> Sun Jun 14 14:56:16 2015 : Error: Couldn't open /var/log/radius/tlscache/c0373a395b8cc8bc3bd2fe453c3f235454b5216a47c1cb66e30580cd697033f1.vps for reading: No such file or directory
> 
>  Probably because the TLS data isn't being cached.

First run ...

Mon Jun 15 08:29:23 2015 : Debug: (14)  eap_tls : TLS_accept: SSLv3 flush data
Mon Jun 15 08:29:23 2015 : Debug:   SSL: adding session 5bb22b52d5ab6b8e0e2c0be1c0054e8d5e3a11198dd85a74ff14d199374706e9 to cache
Mon Jun 15 08:29:23 2015 : Debug: (14)  eap_tls : (other): SSL negotiation finished successfully

Second run …

Mon Jun 15 08:59:42 2015 : Auth: (23)  Login incorrect: [host/user_host.private.com/<via Auth-Type = Reject>] (from client wc-s1-01 port 2 cli 00-24-d7-03-2b-38 via TLS tunnel)
Mon Jun 15 08:59:42 2015 : Debug: (23)  Using Post-Auth-Type Reject
Mon Jun 15 08:59:42 2015 : Debug: (23)  Post-Auth-Type sub-section not found.  Ignoring.
Mon Jun 15 08:59:42 2015 : Debug: (23)    Reply:
Mon Jun 15 08:59:42 2015 : Debug: (23)  } # server check-eap-tls
Mon Jun 15 08:59:42 2015 : Debug: (23)  eap_tls : Certificates were rejected by the virtual server
Mon Jun 15 08:59:42 2015 : Debug:   SSL: Removing session 5bb22b52d5ab6b8e0e2c0be1c0054e8d5e3a11198dd85a74ff14d199374706e9 from the cache
Mon Jun 15 08:59:42 2015 : ERROR: (23)  eap : Failed continuing EAP TLS (13) session. EAP sub-module failed

Debug logs:
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: radius_host_2nd.txt
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20150615/86cb964c/attachment-0003.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: radius_host_1st.txt
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20150615/86cb964c/attachment-0004.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: radius_conf.txt
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20150615/86cb964c/attachment-0005.txt>
-------------- next part --------------

Regards,
Jyri.