EAP-TLS - How to log TLS-Client-Cert-* attributes from expired certificates

Andreas Gryphius lists.freeradius.org at ulle.dyndns.org
Fri Feb 15 10:02:36 CET 2019 

Hello freeradius user list,
I have a running freeradius from the default package coming with Debian 
9 stretch , which is based on version 3.0.12 . It is configured to auth 
only via EAP-TLS. Clients sent their certificates, no passwords and no 
(real) username. Accepts and Rejects work as expected.

What I am not happy with is that I can not find a way to log the 
certificate details if a user is sending an expired certificate.

For users with valid certificates I see all the values for 
TLS-Client-Cert-* in %{pairs:request:} in linelog . The linelog-command 
for successful auth is set in the post-auth{} section in 
sites-enabled/default .

With expired client-certificates the eap module jumps direct into
Post-Auth-Type REJECT {} (located within post-auth{} section) and none 
of the TLS-Client-Cert-* details are available (I tried with debug_all). 
Only Module-Failure-Message is mentioning "... expired certificate ..." 
and some SSL info.
As all of the clients are configured to use an anonymised identity (all 
use the same) as the username  I can not see to whom the expired 
certificate belongs.

In debug mode it says there are TLS attributes created for an expired 
certificate. So there might be hope to save them for later use ...
Does anyone have an idea how I can make these attributes available in 
linelog?

This is an example what I get for an expired certificate in debug mode . 
Note the lines
(226) eap_tls: Creating attributes from certificate OIDs
I want to log the value of TLS-Client-Cert-Subject and/or 
TLS-Client-Cert-Common-Name.

freeradius -fxx -l stdout 2>&1 | tee /tmp/freeradius_debug.log


Thread 4 handling request 226, (92 handled so far)
(226) Received Access-Request Id 110 from 10.1.2.3:32847 to 
10.100.0.1:1812 length 554
(226)   User-Name = "anonymous at example.org"
(226)   NAS-IP-Address = 192.168.1.12
(226)   NAS-Identifier = "0418d67042af"
(226)   NAS-Port = 0
(226)   Called-Station-Id = "04-18-D6-78-55-E1:wifi-radius"
(226)   Calling-Station-Id = "60-36-DD-7C-E2-DC"
(226)   Framed-MTU = 1400
(226)   NAS-Port-Type = Wireless-802.11
(226)   Connect-Info = "CONNECT 0Mbps 802.11b"
(226)   EAP-Message = xxxxxxxxx...
(226)   State = 0x3aec898e31c584882f19a28945c85c1b
(226)   Message-Authenticator = 0x8eeb70cc5c6a84bf36523e303d207ff6
(226) session-state: No cached attributes
(226) # Executing section authorize from file 
/etc/freeradius/3.0/sites-enabled/default
(226)   authorize {
(226)     policy split_username_nai {
(226)       if (&User-Name && (&User-Name =~ 
/^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/)) {
(226)       if (&User-Name && (&User-Name =~ 
/^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/))  -> TRUE
(226)       if (&User-Name && (&User-Name =~ 
/^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/))  {
(226)         update request {
(226)           EXPAND %{1}
(226)              --> anonymous
(226)           &Stripped-User-Name := anonymous
(226)           EXPAND %{3}
(226)              --> example.org
(226)           &Stripped-User-Domain = example.org
(226)         } # update request = noop
(226)         [updated] = updated
(226)       } # if (&User-Name && (&User-Name =~ 
/^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$/))  = updated
(226)       ... skipping else: Preceding "if" was taken
(226)     } # policy split_username_nai = updated
(226)     if (noop || !&Stripped-User-Domain) {
(226)     if (noop || !&Stripped-User-Domain)  -> FALSE
(226)     if (&Stripped-User-Domain != "example.org") {
(226)     if (&Stripped-User-Domain != "example.org")  -> FALSE
(226)     if ( &Stripped-User-Name !~ /otherPKI/i ) {
(226)     if ( &Stripped-User-Name !~ /otherPKI/i )  -> TRUE
(226)     if ( &Stripped-User-Name !~ /otherPKI/i )  {
(226) eap: Peer sent EAP Response (code 2) ID 41 length 369
(226) eap: No EAP Start, assuming it's an on-going EAP conversation
(226)       [eap] = updated
(226)       return
(226)     } # if ( &Stripped-User-Name !~ /otherPKI/i )  = updated
(226)   } # authorize = updated
(226) Found Auth-Type = eap
(226) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(226)   authenticate {
(226) eap: Expiring EAP session with state 0x3aec898e31c58488
(226) eap: Finished EAP session with state 0x3aec898e31c58488
(226) eap: Previous EAP request found for state 0x3aec898e31c58488, 
released from the list
(226) eap: Peer sent packet with method EAP TLS (13)
(226) eap: Calling submodule eap_tls to process data
(226) eap_tls: Continuing EAP-TLS
(226) eap_tls: Got final TLS record fragment (363 bytes)
(226) eap_tls: [eaptls verify] = ok
(226) eap_tls: Done initial handshake
(226) eap_tls: TLS_accept: SSLv3/TLS write server done
(226) eap_tls: <<< recv TLS 1.2  [length 13a3]
(226) eap_tls: Creating attributes from certificate OIDs
(226) eap_tls: Creating attributes from certificate OIDs
(226) eap_tls: Creating attributes from certificate OIDs
(226) eap_tls:   TLS-Cert-Serial := "17887d08b33e3d"
(226) eap_tls:   TLS-Cert-Expiration := "190709235900Z"
(226) eap_tls:   TLS-Cert-Subject := 
"/C=DE/O=Example/OU=ExampleOU/CN=Example-CA-02"
(226) eap_tls:   TLS-Cert-Issuer := 
"/C=DE/O=Example/OU=Example-PKI/CN=Example-CA-01"
(226) eap_tls:   TLS-Cert-Common-Name := "Example-CA-02"
(226) eap_tls:   TLS-Cert-Subject-Alt-Name-Email := "ca at example.org"
(226) eap_tls: Creating attributes from certificate OIDs
(226) eap_tls:   TLS-Client-Cert-Serial := "1a694699888a48"
(226) eap_tls:   TLS-Client-Cert-Expiration := "181115121610Z"
(226) eap_tls:   TLS-Client-Cert-Subject := 
"/C=DE/ST=ExampleST/L=ExampleL/O=Example/OU=ExampleOU/CN=Expired_Example_Cert"
(226) eap_tls:   TLS-Client-Cert-Issuer := 
"/C=DE/O=Example/OU=ExampleOU/CN=Example-CA-02"
(226) eap_tls:   TLS-Client-Cert-Common-Name := "Expired_Example_Cert"
(226) eap_tls:   TLS-Client-Cert-Subject-Alt-Name-Upn := 
"anonymous at example.org"
(226) eap_tls:   TLS-Client-Cert-Subject-Alt-Name-Email := 
"gryphius at example.org"
(226) eap_tls:   ERROR: SSL says error 10 : certificate has expired
(226) eap_tls: >>> send TLS 1.2  [length 0002]
(226) eap_tls: ERROR: TLS Alert write:fatal:certificate expired
tls: TLS_accept: Error in error
(226) eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): 
error:1417C086:SSL routines:tls_process_client_certificate:certificate 
verify failed
(226) eap_tls: ERROR: System call (I/O) error (-1)
(226) eap_tls: ERROR: TLS receive handshake failed during operation
(226) eap_tls: ERROR: [eaptls process] = fail
(226) eap: ERROR: Failed continuing EAP TLS (13) session.  EAP 
sub-module failed
(226) eap: Sending EAP Failure (code 4) ID 41 length 4
(226) eap: Failed in EAP select
(226)     [eap] = invalid
(226)   } # authenticate = invalid
(226) Failed to authenticate the user
(226) Using Post-Auth-Type Reject
(226) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(226)   Post-Auth-Type REJECT {
(226)     if ( &Module-Failure-Message[1] =~ /expired/ ) {
(226)     if ( &Module-Failure-Message[1] =~ /expired/ )  -> TRUE
(226)     if ( &Module-Failure-Message[1] =~ /expired/ )  -> TRUE
(226)     if ( &Module-Failure-Message[1] =~ /expired/ )  {
(226) linelog_cert_expired: EXPAND +++++ linelog_CERT-EXPIRED +++++, 
%{pairs:session-state:}
(226) linelog_cert_expired:    --> +++++ linelog_CERT-EXPIRED +++++,
(226)       [linelog_cert_expired] = ok
(226)     } # if ( &Module-Failure-Message[1] =~ /expired/ )  = ok
(226) attr_filter.access_reject: EXPAND %{User-Name}
(226) attr_filter.access_reject:    --> anonymous at example.org
(226) attr_filter.access_reject: Matched entry DEFAULT at line 11
(226)     [attr_filter.access_reject] = updated
(226) linelog_send_reject: EXPAND action = Send-REJECT, User-Name = 
"%{User-Name}", Acesspoint-IP = "%{NAS-IP-Address}", Endgeraet-MAC = 
"%{Calling-Station-Id}", Stripped-User-Name = "%{Stripped-User-Name}", 
Stripped-User-Domain = "%{Stripped-User-Domain}", EAP-Type = 
"%{EAP-Type}", Module-Failure-Message(s) = "%{Module-Failure-Message[*]}"
(226) linelog_send_reject:    --> action = Send-REJECT, User-Name = 
"anonymous at example.org", Acesspoint-IP = "192.168.1.12", Endgeraet-MAC = 
"60-36-DD-7C-E2-DC", Stripped-User-Name = "anonymous", 
Stripped-User-Domain = "example.org", EAP-Type = "TLS", 
Module-Failure-Message(s) = "eap_tls: SSL says error 10 : certificate 
has expired,eap_tls: TLS Alert write:fatal:certificate expired,eap_tls: 
Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL 
routines:tls_process_client_certificate:certificate verify 
failed,eap_tls: System call (I/O) error (-1),eap_tls: TLS receive 
handshake failed during operation,eap_tls: [eaptls process] = fail,eap: 
Failed continuing EAP TLS (13) session.  EAP sub-module failed"
(226)     [linelog_send_reject] = ok
(226)   } # Post-Auth-Type REJECT = updated
(226) Delaying response for 1.000000 seconds

Thanks, Andreas

More information about the Freeradius-Users mailing list