TLS Variables not set

Luke Pascoe luke at osnz.co.nz
Fri Apr 21 05:28:39 CEST 2017 

Hi,

I'm having trouble getting some basic TLS checks working for a Wifi EAP-TLS
connection.

Centos7, freeradius 3.0.4

Basically I'm messing around with the built-in check-eap-tls virtual
server, as a pre-requisite to some more complex matching I want to do, but
it's not working as it would seem it should.

My client connects using a valid cert, I see TLS "stuff" in the logs like
this:

(5)  Auth-Type eap {
(5)  eap : Expiring EAP session with state 0x9e6f4ada9ae847d4
(5)  eap : Finished EAP session with state 0x9e6f4ada9ae847d4
(5)  eap : Previous EAP request found for state 0x9e6f4ada9ae847d4,
released from the list
(5)  eap : Peer sent method TLS (13)
(5)  eap : EAP TLS (13)
(5)  eap : Calling eap_tls to process EAP data
(5)  eap_tls : Authenticate
(5)  eap_tls : processing EAP-TLS
(5)  eap_tls : eaptls_verify returned 7
(5)  eap_tls : Done initial handshake
(5)  eap_tls : <<< TLS 1.0 Handshake [length 04c4], Certificate
(5)  eap_tls : chain-depth=1,
(5)  eap_tls : error=0
(5)  eap_tls : --> User-Name = lpascoe
(5)  eap_tls : --> BUF-Name = NZHothouse CA
(5)  eap_tls : --> subject =
/C=NZ/ST=AKL/L=Auckland/O=NZHothouse/CN=NZHothouse CA/emailAddress=
admin at nzhothouse.co.nz
(5)  eap_tls : --> issuer  =
/C=NZ/ST=AKL/L=Auckland/O=NZHothouse/CN=NZHothouse CA/emailAddress=
admin at nzhothouse.co.nz
(5)  eap_tls : --> verify return:1
(5)  eap_tls : chain-depth=0,
(5)  eap_tls : error=0
(5)  eap_tls : --> User-Name = lpascoe
(5)  eap_tls : --> BUF-Name = lpascoe
(5)  eap_tls : --> subject =
/C=NZ/ST=AKL/L=Auckland/O=NZHothouse/CN=lpascoe/emailAddress=
admin at nzhothouse.co.nz
(5)  eap_tls : --> issuer  =
/C=NZ/ST=AKL/L=Auckland/O=NZHothouse/CN=NZHothouse CA/emailAddress=
admin at nzhothouse.co.nz
(5)  eap_tls : --> verify return:1
(5)  eap_tls : TLS_accept: SSLv3 read client certificate A
(5)  eap_tls : <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange
(5)  eap_tls : TLS_accept: SSLv3 read client key exchange A
(5)  eap_tls : <<< TLS 1.0 Handshake [length 0106], CertificateVerify
(5)  eap_tls : TLS_accept: SSLv3 read certificate verify A
(5)  eap_tls : <<< TLS 1.0 ChangeCipherSpec [length 0001]
(5)  eap_tls : <<< TLS 1.0 Handshake [length 0010], Finished
(5)  eap_tls : TLS_accept: SSLv3 read finished A
(5)  eap_tls : >>> TLS 1.0 ChangeCipherSpec [length 0001]
(5)  eap_tls : TLS_accept: SSLv3 write change cipher spec A
(5)  eap_tls : >>> TLS 1.0 Handshake [length 0010], Finished
(5)  eap_tls : TLS_accept: SSLv3 write finished A
(5)  eap_tls : TLS_accept: SSLv3 flush data
(5)  eap_tls : (other): SSL negotiation finished successfully
SSL Connection Established
(5)  eap_tls : eaptls_process returned 13

So I'm pretty certail that part is working correctly.

However when we get to the check-eap-tls part, the variables it expects to
match against aren't populated:

(6)  # Executing section authorize from file
/etc/raddb/sites-enabled/check-eap-tls
(6)    authorize {
(6)    update config {
(6)   Auth-Type := Accept
(6)    } # update config = noop
(6)     if ("%{TLS-Client-Cert-Common-Name}" == "client.example.com")
(6)  EXPAND %{TLS-Client-Cert-Common-Name}
(6)     -->
(6)     if ("%{TLS-Client-Cert-Common-Name}" == "client.example.com")  ->
FALSE
(6)    else else {
(6)     update config {
(6)   Auth-Type := Reject
(6)     } # update config = noop
(6)     update reply {
(6)   Reply-Message := 'Your certificate is not valid.'
(6)     } # update reply = noop
(6)    } # else else = noop

As you can see the expansion for %{TLS-Client-Cert-Common-Name} is an empty
string.

This is the variable I want to match against in future.

Any suggestions around what I need to enable to get these TLS variables
populated would be greatly appreciated.

Thanks.

Luke Pascoe



*E* luke at osnz.co.nz
* P* +64 (9) 296 2961
* M* +64 (27) 426 6649
* W* www.osnz.co.nz

24 Wellington St
Papakura
Auckland, 2110
New Zealand

More information about the Freeradius-Users mailing list