Custom handling of EAP module reject

Alberto Martínez alberto.martinez at deusto.es
Fri Apr 7 12:26:53 CEST 2017


Hello,

Sorry for the lack of information in my first message. I was also too much
focused on that error being on the inner-tunnel side that I oversaw what
the debug was telling me.

I've been fiddling a bit with the configuration and understanding how it
works a bit better.

This problem I have reamins largely the same: a well-configured client (and
by well I specially mean that it validates CA and CN) is offered (on
purpose) a different certificate from what it expects. I expect the client
to reject it, of course, but instead of hard-rejecting it I wish I could
make it retry promptly (issue another Challenge?, some different
EAP-Message in the Access-Reject?), or either offer it the server
certificate it expects via another eap module configuration (eap_legit).

I'm pasting the latest sites-enabled/default config and relevant debug
excerp:

server default {
listen {
    type = auth
    ipaddr = *
    port = 0

    limit {
          max_connections = 16
          lifetime = 0
          idle_timeout = 30
    }
}

listen {
    ipaddr = *
    port = 0
    type = acct

    limit {

    }
}

authorize {
    filter_username

    preprocess

    chap

    mschap

    suffix
    split_username_nai
    rewrite_calling_station_id
    ntdomain

    files

    if (!ok && request:Realm == 'NULL') {
        update reply {
            Reply-Message := 'Username should have domain'
        }
        reject
    }

    if (!ok && (&Realm == '<redacted>' || &Realm == '<redacted>')) {
        update control {
            Tmp-Integer-0 := "%{sql_rogue:SELECT COUNT(*) FROM ok_user_mac
WHERE user_mac_id = (SELECT id FROM user_mac WHERE user =
'%{request:User-Name}' AND mac = '%{request:Calling-Station-Id}')}"
            Tmp-Integer-1 := "%{sql_rogue:SELECT COUNT(*) FROM ko_user_mac
WHERE user_mac_id = (SELECT id FROM user_mac WHERE user =
'%{request:User-Name}' AND mac = '%{request:Calling-Station-Id}')}"
        }

        if (&control:Tmp-Integer-1 > 0) {
            reject
        }
        elsif (&State || &control:Tmp-Integer-0 == 0) {
            eap_rogue {
                ok = return
            }
        }
        else {
            eap_legit {
                ok = return
            }
        }
    }
    else {
        eap_legit {
            ok = return
        }
    }

    pap

}

authenticate {
    Auth-Type PAP {
        pap
    }

    Auth-Type CHAP {
        chap
    }

    Auth-Type MS-CHAP {
        mschap
    }

    mschap

    eap_legit

    Auth-Type eap_rogue {
        update control {
            Tmp-String-0 := 'TRY'
        }
        eap_rogue
        update control {
            Tmp-String-0 !* ANY
        }
    }

}

preacct {
    preprocess

    rewrite_calling_station_id

    acct_unique

    suffix

    files
}

accounting {
    detail

    log_sec_acct

    attr_filter.accounting_response

}

session {

}

post-auth {

    update {
        &reply: += &session-state:
    }

    remove_reply_message_if_eap

    Post-Auth-Type REJECT {
        attr_filter.access_reject

        eap_legit

        remove_reply_message_if_eap

        if (&control:Tmp-String-0 == 'TRY') {
            "%{sql_rogue:CALL to_ok_user_mac('%{User-Name}',
'%{Calling-Station-Id}')}"
            update reply {
                EAP-Message := 0x04060004 <---- Trying with a poorly chosen
EAP-Message
            }
        }
    }

    Post-Auth-Type Challenge {
    }
}

pre-proxy {
}

post-proxy {
    eap_legit
}

}

---------------------

(4) Found Auth-Type = eap_rogue
(4) # Executing group from file
/usr/local/freeradius-3.0.13/etc/raddb/sites-enabled/default
(4)   Auth-Type eap_rogue {
(4)     update control {
(4)       Tmp-String-0 := 'TRY'
(4)     } # update control = noop
(4) eap_rogue: Expiring EAP session with state 0x0c576b440f5272f5
(4) eap_rogue: Finished EAP session with state 0x0c576b440f5272f5
(4) eap_rogue: Previous EAP request found for state 0x0c576b440f5272f5,
released from the list
(4) eap_rogue: Peer sent packet with method EAP PEAP (25)
(4) eap_rogue: Calling submodule eap_peap to process data
(4) eap_peap: Continuing EAP-TLS
(4) eap_peap: Peer indicated complete TLS record size will be 7 bytes
(4) eap_peap: Got complete TLS record (7 bytes)
(4) eap_peap: [eaptls verify] = length included
(4) eap_peap: <<< recv TLS 1.0 Alert [length 0002], fatal unknown_ca
(4) eap_peap: ERROR: TLS Alert read:fatal:unknown CA
(4) eap_peap: ERROR: TLS_accept: Failed in unknown state
(4) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read)
(4) eap_peap: ERROR: error:14094418:SSL routines:ssl3_read_bytes:tlsv1
alert unknown ca
(4) eap_peap: ERROR: error:140940E5:SSL routines:ssl3_read_bytes:ssl
handshake failure
(4) eap_peap: ERROR: System call (I/O) error (-1)
(4) eap_peap: ERROR: TLS receive handshake failed during operation
(4) eap_peap: ERROR: [eaptls process] = fail
(4) eap_rogue: ERROR: Failed continuing EAP PEAP (25) session.  EAP
sub-module failed
(4) eap_rogue: Sending EAP Failure (code 4) ID 5 length 4
(4) eap_rogue: Failed in EAP select
(4)     [eap_rogue] = invalid
(4)   } # Auth-Type eap_rogue = invalid
(4) Failed to authenticate the user
(4) Login incorrect (eap_peap: TLS Alert read:fatal:unknown CA):
[<redacted>] (from client OAW_4650 port 0 cli A0-88-B4-2B-7F-E8)
(4) Using Post-Auth-Type Reject
(4) # Executing group from file
/usr/local/freeradius-3.0.13/etc/raddb/sites-enabled/default
(4)   Post-Auth-Type REJECT {
(4) attr_filter.access_reject: EXPAND %{User-Name}
(4) attr_filter.access_reject:    --> <redacted>
(4) attr_filter.access_reject: Matched entry DEFAULT at line 11
(4)     [attr_filter.access_reject] = updated
(4)     [eap_legit] = noop
(4)     policy remove_reply_message_if_eap {
(4)       if (&reply:EAP-Message && &reply:Reply-Message) {
(4)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(4)       else {
(4)         [noop] = noop
(4)       } # else = noop
(4)     } # policy remove_reply_message_if_eap = noop
(4)     if (&control:Tmp-String-0 == 'TRY') {
(4)     if (&control:Tmp-String-0 == 'TRY')  -> TRUE
(4)     if (&control:Tmp-String-0 == 'TRY')  {
rlm_sql (sql_edurogue): Reserved connection (4)
(4)       Executing select query: CALL to_ok_user_mac('<redacted>',
'A0-88-B4-2B-7F-E8')
(4)       SQL query returned no results
rlm_sql (sql_edurogue): Released connection (4)
(4)       EXPAND %{sql_rogue:CALL to_ok_user_mac('%{User-Name}',
'%{Calling-Station-Id}')}
(4)          -->
(4)       update reply {
(4)         EAP-Message := 0x04060004
(4)       } # update reply = noop
(4)     } # if (&control:Tmp-String-0 == 'TRY')  = noop
(4)   } # Post-Auth-Type REJECT = updated
(4) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.


I confess that EAP-Message is a mystery for me and I don't know yet what
can it signal to the client.

Thanks,
Alberto


More information about the Freeradius-Users mailing list