2.1 to 2.2 update question
PENZ Robert
robert.penz at tirol.gv.at
Mon Jan 18 11:19:03 CET 2016
Hi!
I know that it's an old version but anyway I hope someone can help me. The problem is with EAP-TLS and the freeradius upgrade von RHEL6 from 2.2.6 freeradius-2.1.12-6.el6.x86_64 to freeradius-2.2.6-4.el6.x86_64 last fall. The same configuration works on a freeradius 2.1.12 (and 2.2.0, but not 2.2.1 we compiled for testing). The error happens at the first packet, there is no TLS stuff.
It looks like this on the 2.1.12.
rad_recv: Access-Request packet from host 10.12.138.222 port 59774, id=0, length=165
User-Name = "DVT-DVT0060.tirol.local"
Calling-Station-Id = "5C-26-0A-6E-84-2E"
Framed-MTU = 1400
NAS-Port-Type = Ethernet
NAS-Port-Id = "2:22"
NAS-Port = 1022
NAS-IP-Address = 10.12.138.222
Connect-Info = "CONNECT 1000Mbs"
Service-Type = Login-User
EAP-Message = 0x0200001c014456542d445654303036302e7469726f6c2e6c6f63616c
Message-Authenticator = 0xca7712ac53f23d4f869fc36646c0b841
...
++? if (!EAP-Message) -> FALSE
++- entering else else {...}
[eap] EAP packet type response id 0 length 28
[eap] No EAP Start, assuming it's an on-going EAP conversation
+++[eap] returns updated
++- else else returns updated
Found Auth-Type = EAP
# Executing group from file /etc/raddb-fallback//sites-enabled/default
+- entering group EAP {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Requiring client certificate
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
++? if (invalid)
....
Sending Access-Challenge of id 0 to 10.12.138.222 port 59774
EAP-Message = 0x010100060d20
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xe5ec0911e5ed0403ee357f922ace544a
Finished request 0.
.....
On 2.2.6 I looks like this:
rad_recv: Access-Request packet from host 127.0.0.1 port 33977, id=0, length=175
User-Name = "host/DVT-3N14N4J.tirol.local"
Calling-Station-Id = "00-24-E8-3A-FA-66"
Framed-MTU = 1400
NAS-Port-Type = Ethernet
NAS-Port-Id = "2:22"
NAS-Port = 1022
NAS-IP-Address = 127.0.0.1
Connect-Info = "CONNECT 1000Mbs"
Service-Type = Login-User
EAP-Message = 0x0200002101686f73742f4456542d334e31344e344a2e7469726f6c2e6c6f63616c
Message-Authenticator = 0x904a22572d739d5a070b01dc941d1daa
++? if (!EAP-Message) -> FALSE
++else else {
[eap] EAP packet type response id 0 length 33
[eap] No EAP Start, assuming it's an on-going EAP conversation
+++[eap] = updated
++} # else else = updated
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/raddb//sites-enabled/default
+group EAP {
[eap] EAP Identity
[eap] processing type tls
[tls] Requiring client certificate
[tls] Initiate
[tls] Start returned 1
++[eap] = handled
++? if (ok)
? Evaluating (ok) -> FALSE
++? if (ok) -> FALSE
++else else {
+++? if (EAP-Type == "NAK")
? Evaluating (EAP-Type == "NAK") -> FALSE
+++? if (EAP-Type == "NAK") -> FALSE
+++else else {
++++update control {
++++} # update control = noop
+++} # else else = noop
++} # else else = noop
++? if (handled && (Response-Packet-Type == Access-Challenge))
? Evaluating (handled ) -> FALSE
?? Skipping (Response-Packet-Type == Access-Challenge)
++? if (handled && (Response-Packet-Type == Access-Challenge)) -> FALSE
+} # group EAP = noop
Failed to authenticate the user.
Login incorrect: [host/DVT-3N14N4J.tirol.local/<via Auth-Type = EAP>] (from client macau03_local port 1022 cli 0024e83afa66)
Using Post-Auth-Type REJECT
.....
Sending delayed reject for request 0
Sending Access-Reject of id 0 to 127.0.0.1 port 33977
EAP-Message = 0x010100060d20
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xca5a2b60ca5b268f8efac2a79a6aa6aa
We did check at which version the problem got introduced and found that 2.2.0 worked 2.2.1 did not anymore. The relevant config looks this way
authenticate {
.....
Auth-Type EAP {
eap {
handled = 1
invalid = 1
}
if (ok) {
if ("%{TLS-Client-Cert-Subject}" !~ /\/CN=%{sql:SELECT subject8021x FROM tdevices WHERE mac = '%{Calling-Station-Id}'}/i) {
update control {
MACAU-Reason := "Cert-Subject <%{TLS-Client-Cert-Subject}> entspricht nicht dem Hinterlegten --> Remediation Netz"
}
handled
}
# hat das EAP worked, need to overright the vlan, depending on the switch type
elsif ("%{reply:Tunnel-Private-Group-ID}") {
update reply {
Tunnel-Private-Group-ID := "%{sql:SELECT ..... "
}
}
elsif ("%{reply:Extreme-Netlogin-Extended-Vlan}") {
update reply {
Extreme-Netlogin-Extended-Vlan := "%{sql:SELECT ....."
}
}
elsif ("%{reply:Xylan-Auth-Group}") {
update reply {
Xylan-Auth-Group := "%{sql:SELECT ...."
}
}
# store that 802.1x worked
update control {
MACAU-Reason := "802.1x <%{TLS-Client-Cert-Subject}> authentifiziert"
}
# Delete Entries the switches don't like
# <Warn:AAA.RADIUS.vsaUnknownVend> radDecodeVsa :Unknown vendor 311 16
# <Warn:AAA.RADIUS.vsaUnknownVend> radDecodeVsa :Unknown vendor 311 17
update reply {
MS-MPPE-Recv-Key !* ANY
MS-MPPE-Send-Key !* ANY
}
}
else {
# EAP did not work
if (EAP-Type == "NAK") {
update control {
MACAU-Reason := "Nicht unterstuetzter EAP Typ --> Client Fehlkonfiguration"
}
}
else {
update control {
MACAU-Reason := "Zertifikat ungueltig (z.b. revoked/abgelaufen)"
}
}
}
We also found out that just putting "eap" without {} and Auth-Type EAP just before that code block works - but then the rest of the code is not executed. Where should I put the set/update of the attributes in the newer versions of freeradius?
Regards,
Robert
More information about the Freeradius-Users
mailing list