EAP-TLS

Henrik Schack henrik at schack.dk
Sun Jun 6 11:16:04 CEST 2021


This is how far I get:
--cut--
(3) Received Access-Request Id 227 from 176.23.5.126:34447 to
142.93.141.56:1812 length 240
(3)   User-Name = "henrik.schack"
(3)   NAS-Identifier = "868a208e5107"
(3)   Called-Station-Id = "86-8A-20-8E-51-07:Schack-Radius"
(3)   NAS-Port-Type = Wireless-802.11
(3)   Service-Type = Framed-User
(3)   Calling-Station-Id = "8C-85-90-86-02-F8"
(3)   Connect-Info = "CONNECT 0Mbps 802.11b"
(3)   Acct-Session-Id = "7E6FCAA312B559DD"
(3)   Acct-Multi-Session-Id = "514DA94808250535"
(3)   WLAN-Pairwise-Cipher = 1027076
(3)   WLAN-Group-Cipher = 1027076
(3)   WLAN-AKM-Suite = 1027073
(3)   Framed-MTU = 1400
(3)   EAP-Message = 0x029b00060319
(3)   State = 0xb7ab73e6b7307e049cc58c8fe41ba75d
(3)   Message-Authenticator = 0x9022c329b8e6b424f42bf8e53d3001df
(3) session-state: No cached attributes
(3) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(3)   authorize {
(3)     [preprocess] = ok
(3) eap: Peer sent EAP Response (code 2) ID 155 length 6
(3) eap: Ignoring NAK with request for unknown EAP type
(3)     [eap] = noop
(3)     [expiration] = noop
(3)     [logintime] = noop
(3)   } # authorize = ok
(3) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type =
Reject
(3) Failed to authenticate the user
(3) Using Post-Auth-Type Reject
(3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(3)   Post-Auth-Type REJECT {
(3) attr_filter.access_reject: EXPAND %{User-Name}
(3) attr_filter.access_reject:    --> henrik.schack
(3) attr_filter.access_reject: Matched entry DEFAULT at line 11
(3)     [attr_filter.access_reject] = updated
(3) eap: Expiring EAP session with state 0xb7ab73e6b7307e04
(3) eap: Finished EAP session with state 0xb7ab73e6b7307e04
(3) eap: Previous EAP request found for state 0xb7ab73e6b7307e04, released
from the list
(3) eap: Request was previously rejected, inserting EAP-Failure
(3) eap: Sending EAP Failure (code 4) ID 155 length 4
(3)     [eap] = updated
(3)     policy remove_reply_message_if_eap {
(3)       if (&reply:EAP-Message && &reply:Reply-Message) {
(3)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(3)       else {
(3)         [noop] = noop
(3)       } # else = noop
(3)     } # policy remove_reply_message_if_eap = noop
(3)   } # Post-Auth-Type REJECT = updated
(3) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(3) Sending delayed response
(3) Sent Access-Reject Id 227 from 142.93.141.56:1812 to 176.23.5.126:34447
length 44
(3)   EAP-Message = 0x049b0004
(3)   Message-Authenticator = 0x00000000000000000000000000000000
--cut--

/Henrik


On Sun, Jun 6, 2021 at 11:11 AM Henrik Schack <henrik at schack.dk> wrote:

> Yes, I have come that far, but my Mac still wants to do some
> username/password authentication on top of that.
> I have the CA running, CA cert on my Mac, and a client cert installed as
> well.
>
> Br
> Henrik
>
>
> On Sun, Jun 6, 2021 at 11:07 AM Michael Schwartzkopff <ms at sys4.de> wrote:
>
>> On 06.06.21 11:00, Henrik Schack via Freeradius-Users wrote:
>> > Great, you wouldn't happen to have a configuration example ?
>> >
>> > /Henrik
>> >
>> > On Sun, Jun 6, 2021 at 10:42 AM Michael Schwartzkopff <ms at sys4.de>
>> wrote:
>> >
>> >> On 06.06.21 10:14, Henrik Schack via Freeradius-Users wrote:
>> >>> Hi
>> >>> Is it possible to configure Freeradius to require only a valid TLS
>> client
>> >>> cert created by own CA, in order to get an ACCEPT ?
>> >>>
>> >>> /Henrik
>> >>> -
>> >>> List info/subscribe/unsubscribe? See
>> >> http://www.freeradius.org/list/users.html
>> >>
>> >>
>> >> Yes.
>> >>
>>
>> See sections tls-common and tls in the eap module.
>>
>> Basically you have to enter the data about your CA and your server cert.
>>
>> Mit freundlichen Grüßen,
>>
>> --
>>
>> [*] sys4 AG
>>
>> https://sys4.de, +49 (89) 30 90 46 64
>> Schleißheimer Straße 26/MG,80333 München
>>
>> Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
>> Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
>> Aufsichtsratsvorsitzender: Florian Kirstein
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>
>
>
> --
> Mvh/Best regards
> Henrik Schack
> Twitter: http://twitter.com/schack
>
>

-- 
Mvh/Best regards
Henrik Schack
Twitter: http://twitter.com/schack


More information about the Freeradius-Users mailing list