EAP-TLS Signature Check Failure

Peter Bance peter at peterbance.co.uk
Thu Jun 11 10:31:08 CEST 2020


On 2020-06-10 22:01, Alan DeKok wrote:
> On Jun 10, 2020, at 2:24 PM, Peter Bance via Freeradius-Users
> <freeradius-users at lists.freeradius.org> wrote:
>> Has anyone seen this before? I've hunted all over the Internet, but 
>> nothing quite matches :(
> 
>   Yeah.  It's weird.  TBH, I would put it down to a Windows issue.  I
> can't see how it's a FreeRADIUS issue.  Which means it's rather more
> complex to fix.
> 
>   Maybe it's an issue with the SCEP certificates, or the Windows
> implementation of them.

I'm afraid I've been all around the Windows and certificate side, and 
I've circled back to FreeRADIUS :( I probably should have included the 
full session log before (sadly I didn't think to save a successful entry 
from iOS to compare it to, I'll try and get one when I next can). I've 
pasted below (I don't think I need to "redact" anything here other than 
the SSID and OUs, which identified the client).

One thing strikes me, and the reason I'm being a nuisance here again (!) 
- the signature validation is failing "RSA_verify_PKCS1_PSS_mgf1", but 
both the client and CA certificates are signed with 
"sha256WithRSAEncryption", and the session is TLS 1.2. However, the very 
first client request asks for TLS 1.3 (subsequently downgraded to 1.2).

Could FreeRADIUS be "remembering" the initial 1.3, and thus trying an 
invalid signature validation on the certificate(s)?

I've tried going through the source code, but I confess my C and TLS 
skills aren't up to it :-(

Still happy to revert back to peering at Windows and SCEP configuration 
if this is a red herring.

(36) Received Access-Request Id 17 from 213.86.126.94:34562 to 
10.0.0.149:1812 length 322
(36)   User-Name = "host/4e806561-02db-4ede-847d-4596d2ec7d20"
(36)   NAS-Identifier = "88866e42-06c5-4f07-90b5-b72e5da2ea53"
(36)   Called-Station-Id = "5C-5B-35-C3-B7-A3:XXXXX"
(36)   NAS-Port-Type = Wireless-802.11
(36)   Service-Type = Framed-User
(36)   Calling-Station-Id = "20-79-18-BC-9E-2C"
(36)   Connect-Info = "CONNECT 0Mbps 802.11b"
(36)   Acct-Session-Id = "418B05EFDADE98C1"
(36)   Acct-Multi-Session-Id = "596BF9F81F35E201"
(36)   Mobility-Domain-Id = 28294
(36)   WLAN-Pairwise-Cipher = 1027076
(36)   WLAN-Group-Cipher = 1027076
(36)   WLAN-AKM-Suite = 1027075
(36)   Framed-MTU = 1200
(36)   EAP-Message = 
0x02b5002e01686f73742f34653830363536312d303264622d346564652d383437642d343539366432656337643230
(36)   NAS-IP-Address = 192.168.39.11
(36)   Message-Authenticator = 0xb7f8b7fff9b96de0ac6006c01dec7e60
(36) # Executing section authorize from file 
/etc/freeradius/sites-enabled/default
(36)   authorize {
(36)     policy filter_username {
(36)       if (&User-Name) {
(36)       if (&User-Name)  -> TRUE
(36)       if (&User-Name)  {
(36)         if (&User-Name =~ / /) {
(36)         if (&User-Name =~ / /)  -> FALSE
(36)         if (&User-Name =~ /@[^@]*@/ ) {
(36)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(36)         if (&User-Name =~ /\.\./ ) {
(36)         if (&User-Name =~ /\.\./ )  -> FALSE
(36)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  
{
(36)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  
  -> FALSE
(36)         if (&User-Name =~ /\.$/)  {
(36)         if (&User-Name =~ /\.$/)   -> FALSE
(36)         if (&User-Name =~ /@\./)  {
(36)         if (&User-Name =~ /@\./)   -> FALSE
(36)       } # if (&User-Name)  = notfound
(36)     } # policy filter_username = notfound
(36)     [preprocess] = ok
(36)     [chap] = noop
(36)     [mschap] = noop
(36)     [digest] = noop
(36) suffix: Checking for suffix after "@"
(36) suffix: No '@' in User-Name = 
"host/4e806561-02db-4ede-847d-4596d2ec7d20", looking up realm NULL
(36) suffix: No such realm "NULL"
(36)     [suffix] = noop
(36) eap: Peer sent EAP Response (code 2) ID 181 length 46
(36) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the 
rest of authorize
(36)     [eap] = ok
(36)   } # authorize = ok
(36) Found Auth-Type = eap
(36) # Executing group from file /etc/freeradius/sites-enabled/default
(36)   authenticate {
(36) eap: Peer sent packet with method EAP Identity (1)
(36) eap: Calling submodule eap_tls to process data
(36) eap_tls: Initiating new TLS session
(36) eap_tls: Setting verify mode to require certificate from client
(36) eap_tls: [eaptls start] = request
(36) eap: Sending EAP Request (code 1) ID 182 length 6
(36) eap: EAP session adding &reply:State = 0x1648a20f16feaff0
(36)     [eap] = handled
(36)   } # authenticate = handled
(36) Using Post-Auth-Type Challenge
(36) # Executing group from file /etc/freeradius/sites-enabled/default
(36)   Challenge { ... } # empty sub-section is ignored
(36) Sent Access-Challenge Id 17 from 10.0.0.149:1812 to 
213.86.126.94:34562 length 0
(36)   EAP-Message = 0x01b600060d20
(36)   Message-Authenticator = 0x00000000000000000000000000000000
(36)   State = 0x1648a20f16feaff06276a0f2502d05c3
(36) Finished request
Waking up in 4.9 seconds.
(37) Received Access-Request Id 18 from 213.86.126.94:34562 to 
10.0.0.149:1812 length 466
(37)   User-Name = "host/4e806561-02db-4ede-847d-4596d2ec7d20"
(37)   NAS-Identifier = "88866e42-06c5-4f07-90b5-b72e5da2ea53"
(37)   Called-Station-Id = "5C-5B-35-C3-B7-A3:XXXXX"
(37)   NAS-Port-Type = Wireless-802.11
(37)   Service-Type = Framed-User
(37)   Calling-Station-Id = "20-79-18-BC-9E-2C"
(37)   Connect-Info = "CONNECT 0Mbps 802.11b"
(37)   Acct-Session-Id = "418B05EFDADE98C1"
(37)   Acct-Multi-Session-Id = "596BF9F81F35E201"
(37)   Mobility-Domain-Id = 28294
(37)   WLAN-Pairwise-Cipher = 1027076
(37)   WLAN-Group-Cipher = 1027076
(37)   WLAN-AKM-Suite = 1027075
(37)   Framed-MTU = 1200
(37)   EAP-Message = 
0x02b600ac0d80000000a2160303009d0100009903035ee0db848a7a6dc35056a37d7a0774fd13cea959920da2632840ac17f72d2d8800002ac02cc02bc030c02f009f009ec024c023c028c027c00ac009c014c013009d009c003d003c0035002f000a01000046000500050100000000000a00080006001d00170018000b00020100000d001a00180804080508060401050102010403050302030202060106030023000000170000ff01000100
(37)   State = 0x1648a20f16feaff06276a0f2502d05c3
(37)   NAS-IP-Address = 192.168.39.11
(37)   Message-Authenticator = 0x73c6f19cff528e55409457ef55bf064d
(37) session-state: No cached attributes
(37) # Executing section authorize from file 
/etc/freeradius/sites-enabled/default
(37)   authorize {
(37)     policy filter_username {
(37)       if (&User-Name) {
(37)       if (&User-Name)  -> TRUE
(37)       if (&User-Name)  {
(37)         if (&User-Name =~ / /) {
(37)         if (&User-Name =~ / /)  -> FALSE
(37)         if (&User-Name =~ /@[^@]*@/ ) {
(37)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(37)         if (&User-Name =~ /\.\./ ) {
(37)         if (&User-Name =~ /\.\./ )  -> FALSE
(37)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  
{
(37)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  
  -> FALSE
(37)         if (&User-Name =~ /\.$/)  {
(37)         if (&User-Name =~ /\.$/)   -> FALSE
(37)         if (&User-Name =~ /@\./)  {
(37)         if (&User-Name =~ /@\./)   -> FALSE
(37)       } # if (&User-Name)  = notfound
(37)     } # policy filter_username = notfound
(37)     [preprocess] = ok
(37)     [chap] = noop
(37)     [mschap] = noop
(37)     [digest] = noop
(37) suffix: Checking for suffix after "@"
(37) suffix: No '@' in User-Name = 
"host/4e806561-02db-4ede-847d-4596d2ec7d20", looking up realm NULL
(37) suffix: No such realm "NULL"
(37)     [suffix] = noop
(37) eap: Peer sent EAP Response (code 2) ID 182 length 172
(37) eap: No EAP Start, assuming it's an on-going EAP conversation
(37)     [eap] = updated
(37)     [files] = noop
(37)     [expiration] = noop
(37)     [logintime] = noop
(37)     [pap] = noop
(37)   } # authorize = updated
(37) Found Auth-Type = eap
(37) # Executing group from file /etc/freeradius/sites-enabled/default
(37)   authenticate {
(37) eap: Expiring EAP session with state 0x1648a20f16feaff0
(37) eap: Finished EAP session with state 0x1648a20f16feaff0
(37) eap: Previous EAP request found for state 0x1648a20f16feaff0, 
released from the list
(37) eap: Peer sent packet with method EAP TLS (13)
(37) eap: Calling submodule eap_tls to process data
(37) eap_tls: Continuing EAP-TLS
(37) eap_tls: Peer indicated complete TLS record size will be 162 bytes
(37) eap_tls: Got complete TLS record (162 bytes)
(37) eap_tls: [eaptls verify] = length included
(37) eap_tls: (other): before SSL initialization
(37) eap_tls: TLS_accept: before SSL initialization
(37) eap_tls: TLS_accept: before SSL initialization
(37) eap_tls: <<< recv TLS 1.3  [length 009d]
(37) eap_tls: TLS_accept: SSLv3/TLS read client hello
(37) eap_tls: >>> send TLS 1.2  [length 003d]
(37) eap_tls: TLS_accept: SSLv3/TLS write server hello
(37) eap_tls: >>> send TLS 1.2  [length 0a02]
(37) eap_tls: TLS_accept: SSLv3/TLS write certificate
(37) eap_tls: >>> send TLS 1.2  [length 016d]
(37) eap_tls: TLS_accept: SSLv3/TLS write key exchange
(37) eap_tls: >>> send TLS 1.2  [length 00a2]
(37) eap_tls: TLS_accept: SSLv3/TLS write certificate request
(37) eap_tls: >>> send TLS 1.2  [length 0004]
(37) eap_tls: TLS_accept: SSLv3/TLS write server done
(37) eap_tls: TLS_accept: Need to read more data: SSLv3/TLS write server 
done
(37) eap_tls: TLS - In Handshake Phase
(37) eap_tls: TLS - got 3179 bytes of data
(37) eap_tls: [eaptls process] = handled
(37) eap: Sending EAP Request (code 1) ID 183 length 1004
(37) eap: EAP session adding &reply:State = 0x1648a20f17ffaff0
(37)     [eap] = handled
(37)   } # authenticate = handled
(37) Using Post-Auth-Type Challenge
(37) # Executing group from file /etc/freeradius/sites-enabled/default
(37)   Challenge { ... } # empty sub-section is ignored
(37) Sent Access-Challenge Id 18 from 10.0.0.149:1812 to 
213.86.126.94:34562 length 0
(37)   EAP-Message = 
0x01b703ec0dc000000c6b160303003d0200003903034da8e59444d2f7b42d09580329dc57c697cca1d2ff4e72086a030ee408cd5e7200c030000011ff01000100000b000403000102001700001603030a020b0009fe0009fb00055f3082055b30820443a0030201020212043cc4ae5b10feadec7f7433bdae6f3ef13c300d06092a864886f70d01010b0500304a310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074312330210603550403131a4c6574277320456e637279707420417574686f72697479205833301e170d3230303530393133313235305a170d3230303830373133313235305a301c311a3018060355040313117261646975732e6f6e657765622e6e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100c1c892aa1a10709a855fffbf838425456da3402f403214b5be48613cfdef23f94b876f2d3fb63757e1700920bd8a44b5b5667760a5c67db9a5e82456fc7ec1652a
(37)   Message-Authenticator = 0x00000000000000000000000000000000
(37)   State = 0x1648a20f17ffaff06276a0f2502d05c3
(37) Finished request
Waking up in 4.8 seconds.
(38) Received Access-Request Id 19 from 213.86.126.94:34562 to 
10.0.0.149:1812 length 300
(38)   User-Name = "host/4e806561-02db-4ede-847d-4596d2ec7d20"
(38)   NAS-Identifier = "88866e42-06c5-4f07-90b5-b72e5da2ea53"
(38)   Called-Station-Id = "5C-5B-35-C3-B7-A3:XXXXX"
(38)   NAS-Port-Type = Wireless-802.11
(38)   Service-Type = Framed-User
(38)   Calling-Station-Id = "20-79-18-BC-9E-2C"
(38)   Connect-Info = "CONNECT 0Mbps 802.11b"
(38)   Acct-Session-Id = "418B05EFDADE98C1"
(38)   Acct-Multi-Session-Id = "596BF9F81F35E201"
(38)   Mobility-Domain-Id = 28294
(38)   WLAN-Pairwise-Cipher = 1027076
(38)   WLAN-Group-Cipher = 1027076
(38)   WLAN-AKM-Suite = 1027075
(38)   Framed-MTU = 1200
(38)   EAP-Message = 0x02b700060d00
(38)   State = 0x1648a20f17ffaff06276a0f2502d05c3
(38)   NAS-IP-Address = 192.168.39.11
(38)   Message-Authenticator = 0x08a71d99f1461ff34619361b8f160f0b
(38) session-state: No cached attributes
(38) # Executing section authorize from file 
/etc/freeradius/sites-enabled/default
(38)   authorize {
(38)     policy filter_username {
(38)       if (&User-Name) {
(38)       if (&User-Name)  -> TRUE
(38)       if (&User-Name)  {
(38)         if (&User-Name =~ / /) {
(38)         if (&User-Name =~ / /)  -> FALSE
(38)         if (&User-Name =~ /@[^@]*@/ ) {
(38)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(38)         if (&User-Name =~ /\.\./ ) {
(38)         if (&User-Name =~ /\.\./ )  -> FALSE
(38)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  
{
(38)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  
  -> FALSE
(38)         if (&User-Name =~ /\.$/)  {
(38)         if (&User-Name =~ /\.$/)   -> FALSE
(38)         if (&User-Name =~ /@\./)  {
(38)         if (&User-Name =~ /@\./)   -> FALSE
(38)       } # if (&User-Name)  = notfound
(38)     } # policy filter_username = notfound
(38)     [preprocess] = ok
(38)     [chap] = noop
(38)     [mschap] = noop
(38)     [digest] = noop
(38) suffix: Checking for suffix after "@"
(38) suffix: No '@' in User-Name = 
"host/4e806561-02db-4ede-847d-4596d2ec7d20", looking up realm NULL
(38) suffix: No such realm "NULL"
(38)     [suffix] = noop
(38) eap: Peer sent EAP Response (code 2) ID 183 length 6
(38) eap: No EAP Start, assuming it's an on-going EAP conversation
(38)     [eap] = updated
(38)     [files] = noop
(38)     [expiration] = noop
(38)     [logintime] = noop
(38)     [pap] = noop
(38)   } # authorize = updated
(38) Found Auth-Type = eap
(38) # Executing group from file /etc/freeradius/sites-enabled/default
(38)   authenticate {
(38) eap: Expiring EAP session with state 0x1648a20f17ffaff0
(38) eap: Finished EAP session with state 0x1648a20f17ffaff0
(38) eap: Previous EAP request found for state 0x1648a20f17ffaff0, 
released from the list
(38) eap: Peer sent packet with method EAP TLS (13)
(38) eap: Calling submodule eap_tls to process data
(38) eap_tls: Continuing EAP-TLS
(38) eap_tls: Peer ACKed our handshake fragment
(38) eap_tls: [eaptls verify] = request
(38) eap_tls: [eaptls process] = handled
(38) eap: Sending EAP Request (code 1) ID 184 length 1004
(38) eap: EAP session adding &reply:State = 0x1648a20f14f0aff0
(38)     [eap] = handled
(38)   } # authenticate = handled
(38) Using Post-Auth-Type Challenge
(38) # Executing group from file /etc/freeradius/sites-enabled/default
(38)   Challenge { ... } # empty sub-section is ignored
(38) Sent Access-Challenge Id 19 from 10.0.0.149:1812 to 
213.86.126.94:34562 length 0
(38)   EAP-Message = 
0x01b803ec0dc000000c6bd4798b4fa1bf9c958ac37216f1694a2b4042382d6026aeee4392070acd18022100e7ea21cb0d8394476da2408f405a23d87babc7b606a9ac6bb3d6744b5eff483300770007b75c1be57d68fff1b0c61d2315c7bae6577c5794b76aeebc613a1a69d3a21c00000171f9c812930000040300483046022100ac0f7c6b9ca32e74bc40ef846ba40dadf56f6e773a2d7094ec627bf5115eb21c022100a323fe33fd2c9e947cc2e0261552071bcdd72d458e9ed11d2658044474264b00300d06092a864886f70d01010b05000382010100123d1e454bc1060dda634c3bcb89b48fddee738f842a62ee85f55a8cab377a76688777d8310dc752b5ca53c5dce0ebe185d00e9809cb8d915ad04e34892417e174ec1b4af887be6c1ea2c10c2f652445f6a47973731455507783a640108ac750a5a00caa4f017ed472ebed7657f1e2036fc544317ffcffa299124a13fb7193d9abcc3d208cc0e53d75b381ba9a5337623266aa9de0098642413c5518ee4279
(38)   Message-Authenticator = 0x00000000000000000000000000000000
(38)   State = 0x1648a20f14f0aff06276a0f2502d05c3
(38) Finished request
Waking up in 4.7 seconds.
(39) Received Access-Request Id 20 from 213.86.126.94:34562 to 
10.0.0.149:1812 length 300
(39)   User-Name = "host/4e806561-02db-4ede-847d-4596d2ec7d20"
(39)   NAS-Identifier = "88866e42-06c5-4f07-90b5-b72e5da2ea53"
(39)   Called-Station-Id = "5C-5B-35-C3-B7-A3:XXXXX"
(39)   NAS-Port-Type = Wireless-802.11
(39)   Service-Type = Framed-User
(39)   Calling-Station-Id = "20-79-18-BC-9E-2C"
(39)   Connect-Info = "CONNECT 0Mbps 802.11b"
(39)   Acct-Session-Id = "418B05EFDADE98C1"
(39)   Acct-Multi-Session-Id = "596BF9F81F35E201"
(39)   Mobility-Domain-Id = 28294
(39)   WLAN-Pairwise-Cipher = 1027076
(39)   WLAN-Group-Cipher = 1027076
(39)   WLAN-AKM-Suite = 1027075
(39)   Framed-MTU = 1200
(39)   EAP-Message = 0x02b800060d00
(39)   State = 0x1648a20f14f0aff06276a0f2502d05c3
(39)   NAS-IP-Address = 192.168.39.11
(39)   Message-Authenticator = 0xfbb8a5a45c711461cc59935691116b83
(39) session-state: No cached attributes
(39) # Executing section authorize from file 
/etc/freeradius/sites-enabled/default
(39)   authorize {
(39)     policy filter_username {
(39)       if (&User-Name) {
(39)       if (&User-Name)  -> TRUE
(39)       if (&User-Name)  {
(39)         if (&User-Name =~ / /) {
(39)         if (&User-Name =~ / /)  -> FALSE
(39)         if (&User-Name =~ /@[^@]*@/ ) {
(39)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(39)         if (&User-Name =~ /\.\./ ) {
(39)         if (&User-Name =~ /\.\./ )  -> FALSE
(39)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  
{
(39)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  
  -> FALSE
(39)         if (&User-Name =~ /\.$/)  {
(39)         if (&User-Name =~ /\.$/)   -> FALSE
(39)         if (&User-Name =~ /@\./)  {
(39)         if (&User-Name =~ /@\./)   -> FALSE
(39)       } # if (&User-Name)  = notfound
(39)     } # policy filter_username = notfound
(39)     [preprocess] = ok
(39)     [chap] = noop
(39)     [mschap] = noop
(39)     [digest] = noop
(39) suffix: Checking for suffix after "@"
(39) suffix: No '@' in User-Name = 
"host/4e806561-02db-4ede-847d-4596d2ec7d20", looking up realm NULL
(39) suffix: No such realm "NULL"
(39)     [suffix] = noop
(39) eap: Peer sent EAP Response (code 2) ID 184 length 6
(39) eap: No EAP Start, assuming it's an on-going EAP conversation
(39)     [eap] = updated
(39)     [files] = noop
(39)     [expiration] = noop
(39)     [logintime] = noop
(39)     [pap] = noop
(39)   } # authorize = updated
(39) Found Auth-Type = eap
(39) # Executing group from file /etc/freeradius/sites-enabled/default
(39)   authenticate {
(39) eap: Expiring EAP session with state 0x1648a20f14f0aff0
(39) eap: Finished EAP session with state 0x1648a20f14f0aff0
(39) eap: Previous EAP request found for state 0x1648a20f14f0aff0, 
released from the list
(39) eap: Peer sent packet with method EAP TLS (13)
(39) eap: Calling submodule eap_tls to process data
(39) eap_tls: Continuing EAP-TLS
(39) eap_tls: Peer ACKed our handshake fragment
(39) eap_tls: [eaptls verify] = request
(39) eap_tls: [eaptls process] = handled
(39) eap: Sending EAP Request (code 1) ID 185 length 1004
(39) eap: EAP session adding &reply:State = 0x1648a20f15f1aff0
(39)     [eap] = handled
(39)   } # authenticate = handled
(39) Using Post-Auth-Type Challenge
(39) # Executing group from file /etc/freeradius/sites-enabled/default
(39)   Challenge { ... } # empty sub-section is ignored
(39) Sent Access-Challenge Id 20 from 10.0.0.149:1812 to 
213.86.126.94:34562 length 0
(39)   EAP-Message = 
0x01b903ec0dc000000c6b01ff040830060101ff020100300e0603551d0f0101ff040403020186307f06082b0601050507010104733071303206082b060105050730018626687474703a2f2f697372672e747275737469642e6f6373702e6964656e74727573742e636f6d303b06082b06010505073002862f687474703a2f2f617070732e6964656e74727573742e636f6d2f726f6f74732f647374726f6f74636178332e703763301f0603551d23041830168014c4a7b1a47b2c71fadbe14b9075ffc4156085891030540603551d20044d304b3008060667810c010201303f060b2b0601040182df130101013030302e06082b060105050702011622687474703a2f2f6370732e726f6f742d78312e6c657473656e63727970742e6f7267303c0603551d1f043530333031a02fa02d862b687474703a2f2f63726c2e6964656e74727573742e636f6d2f445354524f4f544341583343524c2e63726c301d0603551d0e04160414a84a6a63047dddbae6d139b7a64565ef
(39)   Message-Authenticator = 0x00000000000000000000000000000000
(39)   State = 0x1648a20f15f1aff06276a0f2502d05c3
(39) Finished request
Waking up in 4.6 seconds.
(40) Received Access-Request Id 21 from 213.86.126.94:34562 to 
10.0.0.149:1812 length 300
(40)   User-Name = "host/4e806561-02db-4ede-847d-4596d2ec7d20"
(40)   NAS-Identifier = "88866e42-06c5-4f07-90b5-b72e5da2ea53"
(40)   Called-Station-Id = "5C-5B-35-C3-B7-A3:XXXXX"
(40)   NAS-Port-Type = Wireless-802.11
(40)   Service-Type = Framed-User
(40)   Calling-Station-Id = "20-79-18-BC-9E-2C"
(40)   Connect-Info = "CONNECT 0Mbps 802.11b"
(40)   Acct-Session-Id = "418B05EFDADE98C1"
(40)   Acct-Multi-Session-Id = "596BF9F81F35E201"
(40)   Mobility-Domain-Id = 28294
(40)   WLAN-Pairwise-Cipher = 1027076
(40)   WLAN-Group-Cipher = 1027076
(40)   WLAN-AKM-Suite = 1027075
(40)   Framed-MTU = 1200
(40)   EAP-Message = 0x02b900060d00
(40)   State = 0x1648a20f15f1aff06276a0f2502d05c3
(40)   NAS-IP-Address = 192.168.39.11
(40)   Message-Authenticator = 0x0d8187d439f5c856a51abace42ad72b5
(40) session-state: No cached attributes
(40) # Executing section authorize from file 
/etc/freeradius/sites-enabled/default
(40)   authorize {
(40)     policy filter_username {
(40)       if (&User-Name) {
(40)       if (&User-Name)  -> TRUE
(40)       if (&User-Name)  {
(40)         if (&User-Name =~ / /) {
(40)         if (&User-Name =~ / /)  -> FALSE
(40)         if (&User-Name =~ /@[^@]*@/ ) {
(40)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(40)         if (&User-Name =~ /\.\./ ) {
(40)         if (&User-Name =~ /\.\./ )  -> FALSE
(40)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  
{
(40)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  
  -> FALSE
(40)         if (&User-Name =~ /\.$/)  {
(40)         if (&User-Name =~ /\.$/)   -> FALSE
(40)         if (&User-Name =~ /@\./)  {
(40)         if (&User-Name =~ /@\./)   -> FALSE
(40)       } # if (&User-Name)  = notfound
(40)     } # policy filter_username = notfound
(40)     [preprocess] = ok
(40)     [chap] = noop
(40)     [mschap] = noop
(40)     [digest] = noop
(40) suffix: Checking for suffix after "@"
(40) suffix: No '@' in User-Name = 
"host/4e806561-02db-4ede-847d-4596d2ec7d20", looking up realm NULL
(40) suffix: No such realm "NULL"
(40)     [suffix] = noop
(40) eap: Peer sent EAP Response (code 2) ID 185 length 6
(40) eap: No EAP Start, assuming it's an on-going EAP conversation
(40)     [eap] = updated
(40)     [files] = noop
(40)     [expiration] = noop
(40)     [logintime] = noop
(40)     [pap] = noop
(40)   } # authorize = updated
(40) Found Auth-Type = eap
(40) # Executing group from file /etc/freeradius/sites-enabled/default
(40)   authenticate {
(40) eap: Expiring EAP session with state 0x1648a20f15f1aff0
(40) eap: Finished EAP session with state 0x1648a20f15f1aff0
(40) eap: Previous EAP request found for state 0x1648a20f15f1aff0, 
released from the list
(40) eap: Peer sent packet with method EAP TLS (13)
(40) eap: Calling submodule eap_tls to process data
(40) eap_tls: Continuing EAP-TLS
(40) eap_tls: Peer ACKed our handshake fragment
(40) eap_tls: [eaptls verify] = request
(40) eap_tls: [eaptls process] = handled
(40) eap: Sending EAP Request (code 1) ID 186 length 207
(40) eap: EAP session adding &reply:State = 0x1648a20f12f2aff0
(40)     [eap] = handled
(40)   } # authenticate = handled
(40) Using Post-Auth-Type Challenge
(40) # Executing group from file /etc/freeradius/sites-enabled/default
(40)   Challenge { ... } # empty sub-section is ignored
(40) Sent Access-Challenge Id 21 from 10.0.0.149:1812 to 
213.86.126.94:34562 length 0
(40)   EAP-Message = 
0x01ba00cf0d8000000c6baccab7fd8f25557f21770ea0fa13edbb232eb4a89316030300a20d00009e03010240002e040305030603080708080809080a080b080408050806040105010601030302030301020103020202040205020602006800663064310f300d060355040a13064f6e65576562312d302b060355040b132464383164623666662d346337642d346131642d623536322d3831653835343331643562613122302006035504031319534345506d616e2d4465766963652d526f6f742d43412d563116030300040e000000
(40)   Message-Authenticator = 0x00000000000000000000000000000000
(40)   State = 0x1648a20f12f2aff06276a0f2502d05c3
(40) Finished request
Waking up in 4.6 seconds.
(41) Received Access-Request Id 22 from 213.86.126.94:34562 to 
10.0.0.149:1812 length 1796
(41)   User-Name = "host/4e806561-02db-4ede-847d-4596d2ec7d20"
(41)   NAS-Identifier = "88866e42-06c5-4f07-90b5-b72e5da2ea53"
(41)   Called-Station-Id = "5C-5B-35-C3-B7-A3:XXXXX"
(41)   NAS-Port-Type = Wireless-802.11
(41)   Service-Type = Framed-User
(41)   Calling-Station-Id = "20-79-18-BC-9E-2C"
(41)   Connect-Info = "CONNECT 0Mbps 802.11b"
(41)   Acct-Session-Id = "418B05EFDADE98C1"
(41)   Acct-Multi-Session-Id = "596BF9F81F35E201"
(41)   Mobility-Domain-Id = 28294
(41)   WLAN-Pairwise-Cipher = 1027076
(41)   WLAN-Group-Cipher = 1027076
(41)   WLAN-AKM-Suite = 1027075
(41)   Framed-MTU = 1200
(41)   EAP-Message = 
0x02ba05d40dc00000063e16030306060b00049400049100048e3082048a30820374a0030201020214408581db6165804edb02de4e847d4596d2ec7d20300b06092a864886f70d01010b3064310f300d060355040a13064f6e65576562312d302b060355040b132464383164623666662d346337642d346131642d623536322d3831653835343331643562613122302006035504031319534345506d616e2d4465766963652d526f6f742d43412d5631301e170d3230303531313038353733345a170d3230313131313039303733345a302f312d302b06035504030c2434653830363536312d303264622d346564652d383437642d34353936643265633764323030820122300d06092a864886f70d01010105000382010f003082010a0282010100c5cc3996132faaa13233caa896612c0b320ba49257fe6bc09d5de2c381892182963818ad8d2722761e3427f9d748215acd4bbe0917bdb8332bae1eca9471b23a6b6fd6630842becd62ccabbce4aeb738f2ac598fd18b
(41)   State = 0x1648a20f12f2aff06276a0f2502d05c3
(41)   NAS-IP-Address = 192.168.39.11
(41)   Message-Authenticator = 0x746c68f8e099ebad30060fd2c2887cbe
(41) session-state: No cached attributes
(41) # Executing section authorize from file 
/etc/freeradius/sites-enabled/default
(41)   authorize {
(41)     policy filter_username {
(41)       if (&User-Name) {
(41)       if (&User-Name)  -> TRUE
(41)       if (&User-Name)  {
(41)         if (&User-Name =~ / /) {
(41)         if (&User-Name =~ / /)  -> FALSE
(41)         if (&User-Name =~ /@[^@]*@/ ) {
(41)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(41)         if (&User-Name =~ /\.\./ ) {
(41)         if (&User-Name =~ /\.\./ )  -> FALSE
(41)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  
{
(41)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  
  -> FALSE
(41)         if (&User-Name =~ /\.$/)  {
(41)         if (&User-Name =~ /\.$/)   -> FALSE
(41)         if (&User-Name =~ /@\./)  {
(41)         if (&User-Name =~ /@\./)   -> FALSE
(41)       } # if (&User-Name)  = notfound
(41)     } # policy filter_username = notfound
(41)     [preprocess] = ok
(41)     [chap] = noop
(41)     [mschap] = noop
(41)     [digest] = noop
(41) suffix: Checking for suffix after "@"
(41) suffix: No '@' in User-Name = 
"host/4e806561-02db-4ede-847d-4596d2ec7d20", looking up realm NULL
(41) suffix: No such realm "NULL"
(41)     [suffix] = noop
(41) eap: Peer sent EAP Response (code 2) ID 186 length 1492
(41) eap: No EAP Start, assuming it's an on-going EAP conversation
(41)     [eap] = updated
(41)     [files] = noop
(41)     [expiration] = noop
(41)     [logintime] = noop
(41)     [pap] = noop
(41)   } # authorize = updated
(41) Found Auth-Type = eap
(41) # Executing group from file /etc/freeradius/sites-enabled/default
(41)   authenticate {
(41) eap: Expiring EAP session with state 0x1648a20f12f2aff0
(41) eap: Finished EAP session with state 0x1648a20f12f2aff0
(41) eap: Previous EAP request found for state 0x1648a20f12f2aff0, 
released from the list
(41) eap: Peer sent packet with method EAP TLS (13)
(41) eap: Calling submodule eap_tls to process data
(41) eap_tls: Continuing EAP-TLS
(41) eap_tls: Peer indicated complete TLS record size will be 1598 bytes
(41) eap_tls: Expecting 2 TLS record fragments
(41) eap_tls: Got first TLS record fragment (1482 bytes).  Peer 
indicated more fragments to follow
(41) eap_tls: [eaptls verify] = first fragment
(41) eap_tls: ACKing Peer's TLS record fragment
(41) eap_tls: [eaptls process] = handled
(41) eap: Sending EAP Request (code 1) ID 187 length 6
(41) eap: EAP session adding &reply:State = 0x1648a20f13f3aff0
(41)     [eap] = handled
(41)   } # authenticate = handled
(41) Using Post-Auth-Type Challenge
(41) # Executing group from file /etc/freeradius/sites-enabled/default
(41)   Challenge { ... } # empty sub-section is ignored
(41) Sent Access-Challenge Id 22 from 10.0.0.149:1812 to 
213.86.126.94:34562 length 0
(41)   EAP-Message = 0x01bb00060d00
(41)   Message-Authenticator = 0x00000000000000000000000000000000
(41)   State = 0x1648a20f13f3aff06276a0f2502d05c3
(41) Finished request
Waking up in 4.1 seconds.
(42) Received Access-Request Id 23 from 213.86.126.94:34562 to 
10.0.0.149:1812 length 416
(42)   User-Name = "host/4e806561-02db-4ede-847d-4596d2ec7d20"
(42)   NAS-Identifier = "88866e42-06c5-4f07-90b5-b72e5da2ea53"
(42)   Called-Station-Id = "5C-5B-35-C3-B7-A3:XXXXX"
(42)   NAS-Port-Type = Wireless-802.11
(42)   Service-Type = Framed-User
(42)   Calling-Station-Id = "20-79-18-BC-9E-2C"
(42)   Connect-Info = "CONNECT 0Mbps 802.11b"
(42)   Acct-Session-Id = "418B05EFDADE98C1"
(42)   Acct-Multi-Session-Id = "596BF9F81F35E201"
(42)   Mobility-Domain-Id = 28294
(42)   WLAN-Pairwise-Cipher = 1027076
(42)   WLAN-Group-Cipher = 1027076
(42)   WLAN-AKM-Suite = 1027075
(42)   Framed-MTU = 1200
(42)   EAP-Message = 
0x02bb007a0d00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000014030300010116030300280000000000000000b96a559b74390d53101a37b9c730e029dfcaecc09616610d63a393614951b571
(42)   State = 0x1648a20f13f3aff06276a0f2502d05c3
(42)   NAS-IP-Address = 192.168.39.11
(42)   Message-Authenticator = 0xa524c52b087a2f48e54d85d74803cd75
(42) session-state: No cached attributes
(42) # Executing section authorize from file 
/etc/freeradius/sites-enabled/default
(42)   authorize {
(42)     policy filter_username {
(42)       if (&User-Name) {
(42)       if (&User-Name)  -> TRUE
(42)       if (&User-Name)  {
(42)         if (&User-Name =~ / /) {
(42)         if (&User-Name =~ / /)  -> FALSE
(42)         if (&User-Name =~ /@[^@]*@/ ) {
(42)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(42)         if (&User-Name =~ /\.\./ ) {
(42)         if (&User-Name =~ /\.\./ )  -> FALSE
(42)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  
{
(42)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  
  -> FALSE
(42)         if (&User-Name =~ /\.$/)  {
(42)         if (&User-Name =~ /\.$/)   -> FALSE
(42)         if (&User-Name =~ /@\./)  {
(42)         if (&User-Name =~ /@\./)   -> FALSE
(42)       } # if (&User-Name)  = notfound
(42)     } # policy filter_username = notfound
(42)     [preprocess] = ok
(42)     [chap] = noop
(42)     [mschap] = noop
(42)     [digest] = noop
(42) suffix: Checking for suffix after "@"
(42) suffix: No '@' in User-Name = 
"host/4e806561-02db-4ede-847d-4596d2ec7d20", looking up realm NULL
(42) suffix: No such realm "NULL"
(42)     [suffix] = noop
(42) eap: Peer sent EAP Response (code 2) ID 187 length 122
(42) eap: No EAP Start, assuming it's an on-going EAP conversation
(42)     [eap] = updated
(42)     [files] = noop
(42)     [expiration] = noop
(42)     [logintime] = noop
(42)     [pap] = noop
(42)   } # authorize = updated
(42) Found Auth-Type = eap
(42) # Executing group from file /etc/freeradius/sites-enabled/default
(42)   authenticate {
(42) eap: Expiring EAP session with state 0x1648a20f13f3aff0
(42) eap: Finished EAP session with state 0x1648a20f13f3aff0
(42) eap: Previous EAP request found for state 0x1648a20f13f3aff0, 
released from the list
(42) eap: Peer sent packet with method EAP TLS (13)
(42) eap: Calling submodule eap_tls to process data
(42) eap_tls: Continuing EAP-TLS
(42) eap_tls: Got final TLS record fragment (116 bytes)
(42) eap_tls: [eaptls verify] = ok
(42) eap_tls: Done initial handshake
(42) eap_tls: TLS_accept: SSLv3/TLS write server done
(42) eap_tls: <<< recv TLS 1.2  [length 0498]
(42) eap_tls: TLS - Creating attributes from certificate OIDs
(42) eap_tls:   TLS-Cert-Serial := "69f326fe2bd5423abacfa11e1c1a2802"
(42) eap_tls:   TLS-Cert-Expiration := "300509082659Z"
(42) eap_tls:   TLS-Cert-Valid-Since := "200509081659Z"
(42) eap_tls:   TLS-Cert-Subject := 
"/O=XXXXX/OU=XXXXX/CN=SCEPman-Device-Root-CA-V1"
(42) eap_tls:   TLS-Cert-Issuer := 
"/O=XXXXX/OU=XXXXX/CN=SCEPman-Device-Root-CA-V1"
(42) eap_tls:   TLS-Cert-Common-Name := "SCEPman-Device-Root-CA-V1"
(42) eap_tls: TLS - Creating attributes from certificate OIDs
(42) eap_tls:   TLS-Client-Cert-Serial := 
"408581db6165804edb02de4e847d4596d2ec7d20"
(42) eap_tls:   TLS-Client-Cert-Expiration := "201111090734Z"
(42) eap_tls:   TLS-Client-Cert-Valid-Since := "200511085734Z"
(42) eap_tls:   TLS-Client-Cert-Subject := 
"/CN=4e806561-02db-4ede-847d-4596d2ec7d20"
(42) eap_tls:   TLS-Client-Cert-Issuer := 
"/O=XXXXX/OU=XXXXX/CN=SCEPman-Device-Root-CA-V1"
(42) eap_tls:   TLS-Client-Cert-Common-Name := 
"4e806561-02db-4ede-847d-4596d2ec7d20"
(42) eap_tls:   TLS-Client-Cert-X509v3-Authority-Key-Identifier += 
"keyid:34:AC:84:40:C2:E0:BA:85:A6:37:E2:39:46:52:79:B6:8F:29:9C:EB\n"
(42) eap_tls:   TLS-Client-Cert-X509v3-Subject-Key-Identifier += 
"2E:74:84:73:C2:2A:C6:07:95:3A:2C:76:6E:DD:88:88:07:EC:75:5F"
(42) eap_tls:   TLS-Client-Cert-X509v3-Basic-Constraints += "CA:FALSE"
(42) eap_tls:   TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web 
Client Authentication"
(42) eap_tls:   TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += 
"1.3.6.1.5.5.7.3.2"
(42) eap_tls: Starting OCSP Request
(42) eap_tls: ocsp: Using responder URL 
"http://scepman-xxxxx.azurewebsites.net:80/ocsp"
         This Update: Jun 10 13:09:25 2020 GMT
         Next Update: Jun 10 13:14:25 2020 GMT
(42) eap_tls: ocsp: Cert status: good
(42) eap_tls: ocsp: Certificate is valid
(42) eap_tls: TLS_accept: SSLv3/TLS read client certificate
(42) eap_tls: <<< recv TLS 1.2  [length 0066]
(42) eap_tls: TLS_accept: SSLv3/TLS read client key exchange
(42) eap_tls: <<< recv TLS 1.2  [length 0108]
(42) eap_tls: >>> send TLS 1.2  [length 0002]
(42) eap_tls: ERROR: TLS Alert write:fatal:decrypt error

(42) eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read)
(42) eap_tls: ERROR: error:0407E086:rsa 
routines:RSA_verify_PKCS1_PSS_mgf1:last octet invalid
(42) eap_tls: ERROR: error:1417B07B:SSL 
routines:tls_process_cert_verify:bad signature
(42) eap_tls: ERROR: System call (I/O) error (-1)
(42) eap_tls: ERROR: TLS receive handshake failed during operation
(42) eap_tls: ERROR: [eaptls process] = fail
(42) eap: ERROR: Failed continuing EAP TLS (13) session.  EAP sub-module 
failed
(42) eap: Sending EAP Failure (code 4) ID 187 length 4
(42) eap: Failed in EAP select
(42)     [eap] = invalid
(42)   } # authenticate = invalid
(42) Failed to authenticate the user
(42) Using Post-Auth-Type Reject
(42) # Executing group from file /etc/freeradius/sites-enabled/default
(42)   Post-Auth-Type REJECT {
(42) attr_filter.access_reject: EXPAND %{User-Name}
(42) attr_filter.access_reject:    --> 
host/4e806561-02db-4ede-847d-4596d2ec7d20
(42) attr_filter.access_reject: Matched entry DEFAULT at line 11
(42)     [attr_filter.access_reject] = updated
(42)     [eap] = noop
(42)     policy remove_reply_message_if_eap {
(42)       if (&reply:EAP-Message && &reply:Reply-Message) {
(42)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(42)       else {
(42)         [noop] = noop
(42)       } # else = noop
(42)     } # policy remove_reply_message_if_eap = noop
(42)   } # Post-Auth-Type REJECT = updated
(42) Login incorrect (eap_tls: TLS Alert write:fatal:decrypt error): 
[host/4e806561-02db-4ede-847d-4596d2ec7d20] (from client XXXXX-UK port 0 
cli 20-79-18-BC-9E-2C)
(42) Delaying response for 1.000000 seconds
Waking up in 0.9 seconds.
(42) Sending delayed response
(42) Sent Access-Reject Id 23 from 10.0.0.149:1812 to 
213.86.126.94:34562 length 44
(42)   EAP-Message = 0x04bb0004
(42)   Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 2.2 seconds.
(36) Cleaning up request packet ID 17 with timestamp +932
Waking up in 0.1 seconds.
(37) Cleaning up request packet ID 18 with timestamp +933
(38) Cleaning up request packet ID 19 with timestamp +933
(39) Cleaning up request packet ID 20 with timestamp +933
(40) Cleaning up request packet ID 21 with timestamp +933
Waking up in 0.4 seconds.

---
Peter Bance
Information Security Adviser


More information about the Freeradius-Users mailing list