Logging EAP-TLS certificate details
Alan DeKok
aland at deployingradius.com
Mon Mar 22 23:40:08 CET 2021
On Mar 22, 2021, at 5:04 PM, <Roberto.Franceschetti at ocfl.net> <Roberto.Franceschetti at ocfl.net> wrote:
> Let me clarify - we issue certificate to actual people and applications. Every certificate is accounted for, and the Common Name will either have the persons's name or the serial/MAC address of the IoT it was issued to.
There's a lot of details which have come out over a series of messages. Incomplete problem descriptions tend to cause confusion.
The summary here is:
* malicious users are logging in with fake names, because those fake names are never checked against the cert, or against a DB. Fixing this will address a lot of issues
* the default configuration doesn't log TLS client cert serial, because (a) most people don't use EAP-TLS, and (b) most people who do use it also check that the user names are valid
* the User-Name field is taken from the EAP-Identity, which is in turn taken from the subjectAltName or Common name fields of the certificate.
* These fields are the same 99% of the time. The server checks that User-Name matches EAP-Identity. It is up to you to configure the server to check that User-Name matches the correct certificate field. See the first point above.
* We can't add in these checks by default, because there are variations in which fields are used
* Your site has (essentially) random vendors issuing random certs that you don't control. This practice is insecure, and is contributing towards the problem you're seeing.
* Most people control their own client certificates. This means that they can issue certs with fields that make sense, in a format that makes sense.
* Because your site is not following this common practice, you're seeing all kinds of issues. Issues which most other people don't see.
* Access-Request packets contains NAS IP / port information. You can log that, along with other information such as certificate serial numbers.
* Accounting-Request packets also contain NAS IP / port information. This is the same information as seen in the Access-Accept.
* You can correlate the two sets of information, in order to see (a) which port the user is on, and (b) what TLS cert they have.
This minor change to the default configuration will address all of the issues you're seeing.
The security issue here is that your site is not validating that the User-Name matches the cert, and is not validating that the User-Name is known. While there are reasons for that, it's important to note that these reasons are local to your site.
Perhaps we need better documentation to say "don't do that, it's a problem".
Alan DeKok.
More information about the Freeradius-Users
mailing list