v4: Can't see TLS certificate fields from `send Access-Accept` section anymore
Nick Bogdanov
nickrbogdanov at gmail.com
Wed Feb 17 21:10:38 CET 2021
On Wed, Feb 17, 2021 at 7:56 AM Alan DeKok <aland at deployingradius.com> wrote:
>
> On Feb 16, 2021, at 10:44 PM, Nick Bogdanov <nickrbogdanov at gmail.com> wrote
> > They are getting set under "authenticate eap" and they are being
> > correctly parsed under "recv Access-Request". But then when I hit the
> > "send Access-Accept" step, they all vanish:
>
> Looking into this some more:
>
> * I've fixed the cert expiration timestamp issue
>
> * there was a memory leak which is now fixed
>
> * for various reasons the TLS certs are available in the sub request, and will need to be copied manually (sorry) to the parent
>
> * which means you need to enable `virtual_server = check-eap-tls` in mods-enabled/eap, and then put policies in there
>
> That should work.
Hmm, still no luck enabling check-eap-tls. If I set `virtual_server =
check-eap-tls` in mods-enabled/eap and then symlink
sites-available/check-eap-tls to sites-enabled/, it aborts on startup:
Parsing security rules to bootstrap UID / GID / chroot / etc.
main {
prefix = /root/freeradius-server/pfx
security {
allow_core_dumps = no
allow_vulnerable_openssl = no
openssl_fips_mode = no
}
name = radiusd
local_state_dir = "/root/freeradius-server/pfx/var"
run_dir = /root/freeradius-server/pfx/var/run/radiusd
}
Parsing main configuration.
main {
...freeradius-server/pfx/etc/raddb/sites-enabled/check-eap-tls[31]:
virtual server check-eap-tls MUST contain a 'namespace' option
If I add `namespace = check-eap-tls` at the top of the server {}
section, radiusd gets to the end of the handshake and then rejects the
request here:
(8) Running request
(8) Restored &session-state
(8) &session-state.Session-State-User-Name = "a"
(8) Running 'recv Access-Request' from file
/root/freeradius-server/pfx/etc/raddb/sites-enabled/default
(8) recv Access-Request {
(8) policy filter_username {
(8) if (&State) {
(8) if (&User-Name) {
(8) if (!&session-state.Session-State-User-Name) {
(8) ...
(8) }
(8) if (&User-Name != &session-state.Session-State-User-Name) {
(8) ...
(8) }
(8) } # if (&User-Name) (...)
(8) } # if (&State) (...)
(8) } # policy filter_username (...)
(8) chap (noop)
(8) mschap (noop)
(8) digest (noop)
(8) eap - Peer sent EAP Response (code 2) ID 249 length 6
(8) eap - Continuing on-going EAP conversation
(8) eap - Setting &control.Auth-Type = eap
(8) eap (updated)
(8) files - EXPAND %{%{Stripped-User-Name}:-%{User-Name}}
(8) files - --> a
(8) files (noop)
(8) expiration (noop)
(8) logintime (noop)
(8) pap (noop)
(8) } # recv Access-Request (updated)
(8) Running 'authenticate eap' from file
/root/freeradius-server/pfx/etc/raddb/sites-enabled/default
(8) authenticate eap {
(8) eap - Continuing EAP session
(8) eap - Peer sent packet with EAP method TLS (13)
(8) eap - Calling submodule eap_tls
(8) eap (noop)
(8) subrequest {
(8) Creating subrequest (8.0)
(8) EAP-Type = TLS
(8) EAP-Identity = "a"
(8.0) eap.tls - Continuing EAP-TLS
(8.0) eap.tls - Peer ACKed our handshake fragment. handshake is finished
(8.0) eap.tls - [eap-tls verify] = established
(8.0) eap.tls - [eap-tls process] = established
(8.0) eap.tls - ERROR: Failed to find pre-compiled unlang for
section server check-eap-tls { ... }
(8.0) eap.tls (invalid)
(8) } # subrequest (invalid)
(8) eap - Sending EAP Failure (code 4) ID 249 length 4
(8) eap (invalid)
(8) } # authenticate eap (invalid)
(8) Failed to authenticate the user
(8) Running 'send Access-Reject' from file
/root/freeradius-server/pfx/etc/raddb/sites-enabled/default
(8) send Access-Reject {
I updated to git rev 1a0623b0cff8691551dcb701d22d2896c207e3a1 since I
saw that you pushed a few commits related to namespaces and virtual
servers, then ran `make clean && make && make install`, then started
with a clean configuration.
More information about the Freeradius-Users
mailing list