Freeradius and unexpected TLS version ->Access-Reject
iilinasi
Irina.Ilina-Sidorova at ulb.ac.be
Fri Feb 21 12:25:51 CET 2020
Hello everyone!
I have a weird issue with freeradius 3.0.16.
I try to implement an auth exchange with the RADIUS, requesting EAP-TLS.
At this moment I only need to get to the phase when server responds with
Access-Challenge with server certificate (so, 2 packets from NAD and 2
from the server). To generate NAD-side packets I use python3 with scapy.
Freeradius was set up to use EAP-TLS for test user auth. First
access-request from the NAD side is responded with Access-Challenge from
the server. So far so good.
But when I send the second packet, I receive an Access-Reject.
Suprisingly, the server reports I'm using unsupported TLS version
?0304?. Why "surprizingly"? Well, because I use earlier TLS version, and
it is well visible even in server debugs (if you check "eap message"
part, where is "0301").
I also checked in Wireshark (captured both on the server machine and
"NAD" machine) - the packet is correctly dissected by latest wireshark
and has TLS1.1 inside.
Caching is disabled.
OpenSSL is already at the newest version (1.1.1-1ubuntu2.1~18.04.5).
I tried to rebuild my VM from scratch (so again, installed Ubuntu 18,
freeradius 3.0.16, etc) - but the issue persists.
Here is the debug:
Ready to process requests
(0) Received Access-Request Id 200 from 192.168.0.14:53256 to
192.168.0.59:1812 length 67 (0) Service-Type = Framed-User (0) User-Name
= "test" (0) Framed-MTU = 1500 (0) EAP-Message = 0x020500090174657374
(0) Message-Authenticator = 0xefe697c97fd0118935d39e9a25d6baff (0) #
Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default (0) authorize { (0) policy
filter_username { (0) if (&User-Name) { (0)
if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~
/ /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~
/@[^@]@/ ) { (0) if (&User-Name =~ /@[^@]@/ ) -> FALSE (0) if
(&User-Name =~ /../ ) { (0)
if (&User-Name =~ /../ ) -> FALSE (0) if ((&User-Name =~ /@/) &&
(&User-Name !~ /@(.+).(.+)$/)) { (0) if ((&User-Name =~ /@/) &&
(&User-Name !~ /@(.+).(.+)$/)) -> FALSE (0) if (&User-Name =~ /.$/) {
(0) if (&User-Name =~ /.$/) -> FALSE (0) if (&User-Name =~ /@./) { (0)
if (&User-Name =~ /@./) -> FALSE (0) } # if (&User-Name) = notfound (0)
} # policy filter_username = notfound (0)
[preprocess] = ok (0) auth_log: EXPAND
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(0) auth_log: -->
/var/log/freeradius/radacct/192.168.0.14/auth-detail-20200214 (0)
auth_log:
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/192.168.0.14/auth-detail-20200214
(0) auth_log: EXPAND %t (0) auth_log: --> Fri Feb 14 15:03:01 2020 (0)
[auth_log] = ok (0) [digest] = noop (0) suffix: Checking for suffix
after "@" (0) suffix: No '@' in User-Name = "test", looking up realm
NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: Peer
sent EAP Response (code 2) ID 5 length 9 (0) eap: EAP-Identity reply,
returning 'ok' so we can short-circuit the rest of authorize (0) [eap] =
ok (0) } # authorize = ok (0) Found Auth-Type = eap (0) # Executing
group from file /etc/freeradius/3.0/sites-enabled/default (0)
authenticate { (0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Calling submodule eap_tls to process data (0) eap_tls:
Initiating new EAP-TLS session (0) eap_tls: Setting verify mode to
require certificate from client (0) eap_tls: [eaptls start] = request
(0) eap: Sending EAP Request (code 1) ID 6 length 6 (0) eap: EAP session
adding &reply:State = 0xe879495de87f44cf (0) [eap] = handled (0) } #
authenticate = handled (0) Using Post-Auth-Type Challenge (0) #
Executing group from file /etc/freeradius/3.0/sites-enabled/default (0)
Challenge { ... } # empty sub-section is ignored (0) Sent
Access-Challenge Id 200 from 192.168.0.59:1812 to 192.168.0.14:53256
length 0 (0) EAP-Message = 0x010600060d20 (0)
Message-Authenticator = 0x00000000000000000000000000000000 (0) State
= 0xe879495de87f44cfa950f055cfc4b84d (0) Finished request Waking up in
4.9 seconds.
(1) Received Access-Request Id 201 from 192.168.0.14:53256 to
192.168.0.59:1812 length 163 (1) Service-Type = Framed-User (1)
User-Name = "test" (1) Framed-MTU = 1500 (1) EAP-Message =
0x020600570d800000004d16030100480100004403015e43c51b0000000000000000000000000000000000000000000000000000000000001600040005000a0009006400620003000600130012006301000005ff01000100
(1) State = 0xe879495de87f44cfa950f055cfc4b84d (1)
Message-Authenticator = 0x70eca9c059289b575655c08683064d67 (1)
session-state: No cached attributes (1) # Executing section authorize
from file /etc/freeradius/3.0/sites-enabled/default (1) authorize { (1)
policy filter_username { (1) if (&User-Name) { (1)
if (&User-Name) -> TRUE (1) if (&User-Name) { (1) if (&User-Name =~
/ /) { (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~
/@[^@]@/ ) { (1) if (&User-Name =~ /@[^@]@/ ) -> FALSE (1) if
(&User-Name =~ /../ ) { (1)
if (&User-Name =~ /../ ) -> FALSE (1) if ((&User-Name =~ /@/) &&
(&User-Name !~ /@(.+).(.+)$/)) { (1) if ((&User-Name =~ /@/) &&
(&User-Name !~ /@(.+).(.+)$/)) -> FALSE (1) if (&User-Name =~ /.$/) {
(1) if (&User-Name =~ /.$/) -> FALSE (1) if (&User-Name =~ /@./) { (1)
if (&User-Name =~ /@./) -> FALSE (1) } # if (&User-Name) = notfound (1)
} # policy filter_username = notfound (1)
[preprocess] = ok (1) auth_log: EXPAND
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(1) auth_log: -->
/var/log/freeradius/radacct/192.168.0.14/auth-detail-20200214 (1)
auth_log:
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/192.168.0.14/auth-detail-20200214
(1) auth_log: EXPAND %t (1) auth_log: --> Fri Feb 14 15:03:01 2020 (1)
[auth_log] = ok (1) [digest] = noop (1) suffix: Checking for suffix
after "@" (1) suffix: No '@' in User-Name = "test", looking up realm
NULL (1) suffix: No such realm "NULL" (1) [suffix] = noop (1) eap: Peer
sent EAP Response (code 2) ID 6 length 87 (1) eap: No EAP Start,
assuming it's an on-going EAP conversation (1) [eap] = updated (1) } #
authorize = updated (1) Found Auth-Type = eap (1) # Executing group from
file /etc/freeradius/3.0/sites-enabled/default (1) authenticate { (1)
eap: Expiring EAP session with state 0xe879495de87f44cf (1) eap:
Finished EAP session with state 0xe879495de87f44cf (1) eap: Previous EAP
request found for state 0xe879495de87f44cf, released from the list (1)
eap: Peer sent packet with method EAP TLS (13) (1) eap: Calling
submodule eap_tls to process data (1) eap_tls: Continuing EAP-TLS (1)
eap_tls: Peer indicated complete TLS record size will be 77 bytes (1)
eap_tls: Got complete TLS record (77 bytes) (1) eap_tls: [eaptls verify]
= length included (1) eap_tls: (other): before SSL initialization (1)
eap_tls: TLS_accept: before SSL initialization (1) eap_tls: TLS_accept:
before SSL initialization (1) eap_tls: <<< recv UNKNOWN TLS VERSION
?0304? [length 0048] (1) eap_tls: >>> send TLS 1.0 Alert [length 0002],
fatal handshake_failure (1) eap_tls: ERROR: TLS Alert
write:fatal:handshake failure tls: TLS_accept: Error in error (1)
eap_tls: ERROR: Failed in FUNCTION (SSL_read): error:1417A0C1:SSL
routines:tls_post_process_client_hello:no shared cipher (1) eap_tls:
ERROR: System call (I/O) error (-1) (1) eap_tls: ERROR: TLS receive
handshake failed during operation (1) eap_tls: ERROR: [eaptls process] =
fail (1) eap: ERROR: Failed continuing EAP TLS (13) session. EAP
sub-module failed (1) eap: Sending EAP Failure (code 4) ID 6 length 4
(1) eap: Failed in EAP select (1) [eap] = invalid (1) } # authenticate =
invalid (1) Failed to authenticate the user (1) Using Post-Auth-Type
Reject
What could be wrong here?
Where should I debug further?
Thanks a ton in advance for any hints!
Cheers, Iron
More information about the Freeradius-Users
mailing list