2.1 to 2.2 update question

PENZ Robert robert.penz at tirol.gv.at
Mon Jan 18 11:19:03 CET 2016


Hi!

I know that it's an old version but anyway I hope someone can help me. The problem is with EAP-TLS and the freeradius upgrade von RHEL6 from 2.2.6 freeradius-2.1.12-6.el6.x86_64 to freeradius-2.2.6-4.el6.x86_64 last fall. The same configuration works on a freeradius 2.1.12 (and 2.2.0, but not 2.2.1 we compiled for testing). The error happens at the first packet, there is no TLS stuff.

It looks like this on the 2.1.12.

rad_recv: Access-Request packet from host 10.12.138.222 port 59774, id=0, length=165
            User-Name = "DVT-DVT0060.tirol.local"
            Calling-Station-Id = "5C-26-0A-6E-84-2E"
            Framed-MTU = 1400
            NAS-Port-Type = Ethernet
            NAS-Port-Id = "2:22"
            NAS-Port = 1022
            NAS-IP-Address = 10.12.138.222
            Connect-Info = "CONNECT 1000Mbs"
            Service-Type = Login-User
            EAP-Message = 0x0200001c014456542d445654303036302e7469726f6c2e6c6f63616c
            Message-Authenticator = 0xca7712ac53f23d4f869fc36646c0b841
...
++? if (!EAP-Message) -> FALSE
++- entering else else {...}
[eap] EAP packet type response id 0 length 28
[eap] No EAP Start, assuming it's an on-going EAP conversation
+++[eap] returns updated
++- else else returns updated
Found Auth-Type = EAP
# Executing group from file /etc/raddb-fallback//sites-enabled/default
+- entering group EAP {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Requiring client certificate
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
++? if (invalid)
....
Sending Access-Challenge of id 0 to 10.12.138.222 port 59774
            EAP-Message = 0x010100060d20
            Message-Authenticator = 0x00000000000000000000000000000000
            State = 0xe5ec0911e5ed0403ee357f922ace544a
Finished request 0.

.....

On 2.2.6 I looks like this:


rad_recv: Access-Request packet from host 127.0.0.1 port 33977, id=0, length=175
        User-Name = "host/DVT-3N14N4J.tirol.local"
        Calling-Station-Id = "00-24-E8-3A-FA-66"
        Framed-MTU = 1400
        NAS-Port-Type = Ethernet
        NAS-Port-Id = "2:22"
        NAS-Port = 1022
        NAS-IP-Address = 127.0.0.1
        Connect-Info = "CONNECT 1000Mbs"
        Service-Type = Login-User
        EAP-Message = 0x0200002101686f73742f4456542d334e31344e344a2e7469726f6c2e6c6f63616c
        Message-Authenticator = 0x904a22572d739d5a070b01dc941d1daa

++? if (!EAP-Message) -> FALSE
++else else {
[eap] EAP packet type response id 0 length 33
[eap] No EAP Start, assuming it's an on-going EAP conversation
+++[eap] = updated
++} # else else = updated
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/raddb//sites-enabled/default
+group EAP {
[eap] EAP Identity
[eap] processing type tls
[tls] Requiring client certificate
[tls] Initiate
[tls] Start returned 1
++[eap] = handled
++? if (ok)
? Evaluating (ok) -> FALSE
++? if (ok) -> FALSE
++else else {
+++? if (EAP-Type == "NAK")
? Evaluating (EAP-Type == "NAK") -> FALSE
+++? if (EAP-Type == "NAK") -> FALSE
+++else else {
++++update control {
++++} # update control = noop
+++} # else else = noop
++} # else else = noop
++? if (handled && (Response-Packet-Type == Access-Challenge))
? Evaluating (handled ) -> FALSE
?? Skipping (Response-Packet-Type == Access-Challenge)
++? if (handled && (Response-Packet-Type == Access-Challenge)) -> FALSE
+} # group EAP = noop
Failed to authenticate the user.
Login incorrect: [host/DVT-3N14N4J.tirol.local/<via Auth-Type = EAP>] (from client macau03_local port 1022 cli 0024e83afa66)
Using Post-Auth-Type REJECT

.....
Sending delayed reject for request 0
Sending Access-Reject of id 0 to 127.0.0.1 port 33977
        EAP-Message = 0x010100060d20
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xca5a2b60ca5b268f8efac2a79a6aa6aa


We did check at which version the problem got introduced and found that 2.2.0 worked  2.2.1 did not anymore. The relevant config looks this way

authenticate {
.....
        Auth-Type EAP {
            eap  {
                handled = 1
                invalid = 1
            }

            if (ok) {
                    if ("%{TLS-Client-Cert-Subject}" !~ /\/CN=%{sql:SELECT subject8021x FROM tdevices WHERE mac = '%{Calling-Station-Id}'}/i) {
                        update control {
                            MACAU-Reason := "Cert-Subject <%{TLS-Client-Cert-Subject}> entspricht nicht dem Hinterlegten --> Remediation Netz"
                        }
                        handled

                    }
                    # hat das EAP worked, need to overright the vlan, depending on the switch type
                    elsif ("%{reply:Tunnel-Private-Group-ID}") {
                        update reply {
                            Tunnel-Private-Group-ID := "%{sql:SELECT ..... "
                        }
                    }
                    elsif ("%{reply:Extreme-Netlogin-Extended-Vlan}") {
                        update reply {
                            Extreme-Netlogin-Extended-Vlan := "%{sql:SELECT ....."
                        }
                    }
                    elsif ("%{reply:Xylan-Auth-Group}") {
                        update reply {
                            Xylan-Auth-Group := "%{sql:SELECT ...."
                        }
                    }

                    # store that 802.1x worked
                    update control {
                            MACAU-Reason := "802.1x <%{TLS-Client-Cert-Subject}> authentifiziert"
                    }

                    # Delete Entries the switches don't like
                    #    <Warn:AAA.RADIUS.vsaUnknownVend> radDecodeVsa :Unknown vendor 311 16
                    #    <Warn:AAA.RADIUS.vsaUnknownVend> radDecodeVsa :Unknown vendor 311 17

                    update reply {
                            MS-MPPE-Recv-Key !* ANY
                            MS-MPPE-Send-Key !* ANY
                    }
            }
            else {
                # EAP did not work
                if (EAP-Type == "NAK") {
                    update control {
                        MACAU-Reason := "Nicht unterstuetzter EAP Typ --> Client Fehlkonfiguration"
                    }
                }
                else {
                    update control {
                        MACAU-Reason := "Zertifikat ungueltig (z.b. revoked/abgelaufen)"
                    }
                }
            }


We also found out that just putting "eap" without {} and  Auth-Type EAP just before that code block works - but then the  rest of the code is not executed.  Where should I put the set/update of the attributes in the newer versions of freeradius?


Regards,
Robert





More information about the Freeradius-Users mailing list