Custom handling of EAP module reject
Alberto MartÃnez
alberto.martinez at deusto.es
Fri Apr 7 12:26:53 CEST 2017
Hello,
Sorry for the lack of information in my first message. I was also too much
focused on that error being on the inner-tunnel side that I oversaw what
the debug was telling me.
I've been fiddling a bit with the configuration and understanding how it
works a bit better.
This problem I have reamins largely the same: a well-configured client (and
by well I specially mean that it validates CA and CN) is offered (on
purpose) a different certificate from what it expects. I expect the client
to reject it, of course, but instead of hard-rejecting it I wish I could
make it retry promptly (issue another Challenge?, some different
EAP-Message in the Access-Reject?), or either offer it the server
certificate it expects via another eap module configuration (eap_legit).
I'm pasting the latest sites-enabled/default config and relevant debug
excerp:
server default {
listen {
type = auth
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
ipaddr = *
port = 0
type = acct
limit {
}
}
authorize {
filter_username
preprocess
chap
mschap
suffix
split_username_nai
rewrite_calling_station_id
ntdomain
files
if (!ok && request:Realm == 'NULL') {
update reply {
Reply-Message := 'Username should have domain'
}
reject
}
if (!ok && (&Realm == '<redacted>' || &Realm == '<redacted>')) {
update control {
Tmp-Integer-0 := "%{sql_rogue:SELECT COUNT(*) FROM ok_user_mac
WHERE user_mac_id = (SELECT id FROM user_mac WHERE user =
'%{request:User-Name}' AND mac = '%{request:Calling-Station-Id}')}"
Tmp-Integer-1 := "%{sql_rogue:SELECT COUNT(*) FROM ko_user_mac
WHERE user_mac_id = (SELECT id FROM user_mac WHERE user =
'%{request:User-Name}' AND mac = '%{request:Calling-Station-Id}')}"
}
if (&control:Tmp-Integer-1 > 0) {
reject
}
elsif (&State || &control:Tmp-Integer-0 == 0) {
eap_rogue {
ok = return
}
}
else {
eap_legit {
ok = return
}
}
}
else {
eap_legit {
ok = return
}
}
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
mschap
eap_legit
Auth-Type eap_rogue {
update control {
Tmp-String-0 := 'TRY'
}
eap_rogue
update control {
Tmp-String-0 !* ANY
}
}
}
preacct {
preprocess
rewrite_calling_station_id
acct_unique
suffix
files
}
accounting {
detail
log_sec_acct
attr_filter.accounting_response
}
session {
}
post-auth {
update {
&reply: += &session-state:
}
remove_reply_message_if_eap
Post-Auth-Type REJECT {
attr_filter.access_reject
eap_legit
remove_reply_message_if_eap
if (&control:Tmp-String-0 == 'TRY') {
"%{sql_rogue:CALL to_ok_user_mac('%{User-Name}',
'%{Calling-Station-Id}')}"
update reply {
EAP-Message := 0x04060004 <---- Trying with a poorly chosen
EAP-Message
}
}
}
Post-Auth-Type Challenge {
}
}
pre-proxy {
}
post-proxy {
eap_legit
}
}
---------------------
(4) Found Auth-Type = eap_rogue
(4) # Executing group from file
/usr/local/freeradius-3.0.13/etc/raddb/sites-enabled/default
(4) Auth-Type eap_rogue {
(4) update control {
(4) Tmp-String-0 := 'TRY'
(4) } # update control = noop
(4) eap_rogue: Expiring EAP session with state 0x0c576b440f5272f5
(4) eap_rogue: Finished EAP session with state 0x0c576b440f5272f5
(4) eap_rogue: Previous EAP request found for state 0x0c576b440f5272f5,
released from the list
(4) eap_rogue: Peer sent packet with method EAP PEAP (25)
(4) eap_rogue: Calling submodule eap_peap to process data
(4) eap_peap: Continuing EAP-TLS
(4) eap_peap: Peer indicated complete TLS record size will be 7 bytes
(4) eap_peap: Got complete TLS record (7 bytes)
(4) eap_peap: [eaptls verify] = length included
(4) eap_peap: <<< recv TLS 1.0 Alert [length 0002], fatal unknown_ca
(4) eap_peap: ERROR: TLS Alert read:fatal:unknown CA
(4) eap_peap: ERROR: TLS_accept: Failed in unknown state
(4) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read)
(4) eap_peap: ERROR: error:14094418:SSL routines:ssl3_read_bytes:tlsv1
alert unknown ca
(4) eap_peap: ERROR: error:140940E5:SSL routines:ssl3_read_bytes:ssl
handshake failure
(4) eap_peap: ERROR: System call (I/O) error (-1)
(4) eap_peap: ERROR: TLS receive handshake failed during operation
(4) eap_peap: ERROR: [eaptls process] = fail
(4) eap_rogue: ERROR: Failed continuing EAP PEAP (25) session. EAP
sub-module failed
(4) eap_rogue: Sending EAP Failure (code 4) ID 5 length 4
(4) eap_rogue: Failed in EAP select
(4) [eap_rogue] = invalid
(4) } # Auth-Type eap_rogue = invalid
(4) Failed to authenticate the user
(4) Login incorrect (eap_peap: TLS Alert read:fatal:unknown CA):
[<redacted>] (from client OAW_4650 port 0 cli A0-88-B4-2B-7F-E8)
(4) Using Post-Auth-Type Reject
(4) # Executing group from file
/usr/local/freeradius-3.0.13/etc/raddb/sites-enabled/default
(4) Post-Auth-Type REJECT {
(4) attr_filter.access_reject: EXPAND %{User-Name}
(4) attr_filter.access_reject: --> <redacted>
(4) attr_filter.access_reject: Matched entry DEFAULT at line 11
(4) [attr_filter.access_reject] = updated
(4) [eap_legit] = noop
(4) policy remove_reply_message_if_eap {
(4) if (&reply:EAP-Message && &reply:Reply-Message) {
(4) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(4) else {
(4) [noop] = noop
(4) } # else = noop
(4) } # policy remove_reply_message_if_eap = noop
(4) if (&control:Tmp-String-0 == 'TRY') {
(4) if (&control:Tmp-String-0 == 'TRY') -> TRUE
(4) if (&control:Tmp-String-0 == 'TRY') {
rlm_sql (sql_edurogue): Reserved connection (4)
(4) Executing select query: CALL to_ok_user_mac('<redacted>',
'A0-88-B4-2B-7F-E8')
(4) SQL query returned no results
rlm_sql (sql_edurogue): Released connection (4)
(4) EXPAND %{sql_rogue:CALL to_ok_user_mac('%{User-Name}',
'%{Calling-Station-Id}')}
(4) -->
(4) update reply {
(4) EAP-Message := 0x04060004
(4) } # update reply = noop
(4) } # if (&control:Tmp-String-0 == 'TRY') = noop
(4) } # Post-Auth-Type REJECT = updated
(4) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
I confess that EAP-Message is a mystery for me and I don't know yet what
can it signal to the client.
Thanks,
Alberto
More information about the Freeradius-Users
mailing list