Authentication issues
David le Roux
david.leroux at miller.co.uk
Mon Jun 27 13:51:15 UTC 2022
Hi Alan, thanks for the feedback.
>> So I used the scriptlet below to remove the host/ section and now no longer get the error message.
>>
>> if (&User-Name =~ /^host\/(.*)$/) {
>> update request {
>> &Cert-CN := "%{1}"
>> }
>> }
>
> That's good.
>
>> However I now get the following error:
>>
>> (2) if (&User-Name =~ /^host\/(.*)$/) {
>> (2) if (&User-Name =~ /^host\/(.*)$/) -> TRUE
>> (2) if (&User-Name =~ /^host\/(.*)$/) {
>> (2) update request {
>> (2) EXPAND %{1}
>> (2) --> hostname.domain.com
>> (2) &User-Name := hostname.domain.com
>
> That isn't what you posted above. You're editing the User-Name, and not adding a Cert-CN attribute.
That's because when I put the unlang script above I get the following error in journalctl -xe
/etc/freeradius/3.0/sites-enabled/mh-site[27]: Unknown attribute 'Cert-CN'
Therefore I tried the following script (which is what I should have included above instead) in place which gave the above error:
if (&User-Name =~ /^host\/(.*)$/) {
update request {
&User-Name := "%{1}"
}
}
>> (2) Found Auth-Type = eap
>> (2) Found Auth-Type = eap
>> (2) ERROR: Warning: Found 2 auth-types on request for user 'hostname.domain.com'
>
> Don't force "Auth-Type = eap". It's wrong, and it will cause problems. Let the server figure out what to do. It will make the right decision.
Noted.
>> (2) eap: Identity does not match User-Name. Authentication failed
>
> Yup.
>
>> I imagine that having now modified the username it no longer matches its identity. I'm not sure how to remediate that.
>
> Don't modify the User-Name?
I was under the impression that the previous error:
>> tls: Certificate CN (mh300416.millerextra.com) does not match specified value (host/mh300416.millerextra.com)!
>> (8) eap_tls: >>> send TLS 1.2 [length 0002]
>> (8) eap_tls: ERROR: TLS Alert write:fatal:internal error
>> tls: TLS_accept: Error in error
Required modifying the username to match the certificate?
> Instead, add a Cert-CN, and then modify the "eap" module to check for Cert-CN, and then User-Name:
>
> check_cert_cn = %{%{Cert-CN}:-%{User-Name}}
I've added that, but the error message before adding that and after are the same.
Here are two samples from the debug log:
(0) Received Access-Request Id 5 from 10.224.83.1:55126 to 10.10.251.2:1812 length 192
(0) User-Name = "host/mh301251.millerextra.com"
(0) NAS-IP-Address = 127.0.0.1
(0) Called-Station-Id = "AC-17-C8-A1-BD-48:"
(0) NAS-Port-Type = Ethernet
(0) Service-Type = Framed-User
(0) NAS-Port = 2
(0) Calling-Station-Id = "48-4D-7E-F1-EA-19"
(0) Acct-Session-Id = "09359BDDFCA6B78E"
(0) Framed-MTU = 1400
(0) EAP-Message = 0x0237002201686f73742f6d683330313235312e6d696c6c657265787472612e636f6d
(0) Message-Authenticator = 0x03f0855274d889448947df9a9fd3424e
(0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/mh-site
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /@\./) {
(0) if (&User-Name =~ /@\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) eap: Peer sent EAP Response (code 2) ID 55 length 34
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(0) [eap] = ok
(0) } # authorize = ok
(0) Found Auth-Type = eap
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/mh-site
(0) Auth-Type EAP {
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Calling submodule eap_tls to process data
(0) eap_tls: (TLS) Initiating new session
(0) eap_tls: (TLS) Setting verify mode to require certificate from client
(0) eap: Sending EAP Request (code 1) ID 56 length 6
(0) eap: EAP session adding &reply:State = 0x699f699869a764e8
(0) [eap] = handled
(0) } # Auth-Type EAP = handled
(0) Using Post-Auth-Type Challenge
(0) Post-Auth-Type sub-section not found. Ignoring.
(0) session-state: Saving cached attributes
(0) Framed-MTU = 994
(0) Sent Access-Challenge Id 5 from 10.10.251.2:1812 to 10.224.83.1:55126 length 64
(0) EAP-Message = 0x013800060d20
(0) Message-Authenticator = 0x00000000000000000000000000000000
(0) State = 0x699f699869a764e8d6204fd4e9d08f1d
(0) Finished request
(7) Received Access-Request Id 9 from 10.225.15.1:44056 to 10.10.251.2:1812 length 342
(7) User-Name = "host/mh300163.millerextra.com"
(7) NAS-IP-Address = 127.0.0.1
(7) Called-Station-Id = "E0-55-3D-89-2E-20:"
(7) NAS-Port-Type = Ethernet
(7) Service-Type = Framed-User
(7) NAS-Port = 3
(7) Calling-Station-Id = "18-66-DA-40-C0-53"
(7) Acct-Session-Id = "25ECF349CE9496B2"
(7) Framed-MTU = 1400
(7) EAP-Message = 0x022600a60d800000009c160303009701000093030362b71d68d878afc7d77f055c7dd12f0cb835715834e077f7a1dafeb097a7456200002ac02cc02bc030c02f009f009ec024c023c028c027c00ac009c014c013009d009c003d003c0035002f000a01000040000500050100000000000a00080006001d00170018000b00020100000d001400120401050102010403050302030202060106030023000000170000ff01000100
(7) State = 0x00b4d7a90092daeea8e4e63457a93006
(7) Message-Authenticator = 0x0fefe8ca6f7fc30bbe5980c32a7e2dfc
(7) Restoring &session-state
(7) &session-state:Framed-MTU = 994
(7) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/mh-site
(7) authorize {
(7) policy filter_username {
(7) if (&User-Name) {
(7) if (&User-Name) -> TRUE
(7) if (&User-Name) {
(7) if (&User-Name =~ / /) {
(7) if (&User-Name =~ / /) -> FALSE
(7) if (&User-Name =~ /@[^@]*@/ ) {
(7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(7) if (&User-Name =~ /\.\./ ) {
(7) if (&User-Name =~ /\.\./ ) -> FALSE
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(7) if (&User-Name =~ /\.$/) {
(7) if (&User-Name =~ /\.$/) -> FALSE
(7) if (&User-Name =~ /@\./) {
(7) if (&User-Name =~ /@\./) -> FALSE
(7) } # if (&User-Name) = notfound
(7) } # policy filter_username = notfound
(7) [preprocess] = ok
(7) [chap] = noop
(7) eap: Peer sent EAP Response (code 2) ID 38 length 166
(7) eap: No EAP Start, assuming it's an on-going EAP conversation
(7) [eap] = updated
(7) [files] = noop
(7) [expiration] = noop
(7) [logintime] = noop
(7) policy rewrite_calling_station_id {
(7) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(7) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(7) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(7) update request {
(7) EXPAND %{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(7) --> 18-66-da-40-c0-53
(7) &Calling-Station-Id := 18-66-da-40-c0-53
(7) } # update request = noop
(7) [updated] = updated
(7) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(7) ... skipping else: Preceding "if" was taken
(7) } # policy rewrite_calling_station_id = updated
(7) if (&User-Name =~ /^host\/(.*)$/) {
(7) if (&User-Name =~ /^host\/(.*)$/) -> TRUE
(7) if (&User-Name =~ /^host\/(.*)$/) {
(7) update request {
(7) EXPAND %{1}
(7) --> mh300163.millerextra.com
(7) &User-Name := mh300163.millerextra.com
(7) } # update request = noop
(7) } # if (&User-Name =~ /^host\/(.*)$/) = noop
(7) if (!EAP-Message) {
(7) if (!EAP-Message) -> FALSE
(7) else {
(7) eap: Peer sent EAP Response (code 2) ID 38 length 166
(7) eap: No EAP Start, assuming it's an on-going EAP conversation
(7) [eap] = updated
(7) } # else = updated
(7) } # authorize = updated
(7) Found Auth-Type = eap
(7) Found Auth-Type = eap
(7) ERROR: Warning: Found 2 auth-types on request for user 'mh300163.millerextra.com'
(7) # Executing group from file /etc/freeradius/3.0/sites-enabled/mh-site
(7) Auth-Type EAP {
(7) eap: Expiring EAP session with state 0xdb417641db437b52
(7) eap: Finished EAP session with state 0x00b4d7a90092daee
(7) eap: Previous EAP request found for state 0x00b4d7a90092daee, released from the list
(7) eap: Identity does not match User-Name. Authentication failed
(7) eap: Failed in handler
(7) [eap] = invalid
(7) } # Auth-Type EAP = invalid
(7) Failed to authenticate the user
(7) Using Post-Auth-Type Reject
(7) Post-Auth-Type sub-section not found. Ignoring.
(7) Login incorrect (Warning: Found 2 auth-types on request for user 'mh300163.millerextra.com'): [mh300163.millerextra.com] (from client MWAN-10.225.15.1 port 3 cli 18-66-da-40-c0-53)
(7) Delaying response for 1.000000 seconds
(7) Sending delayed response
(7) Sent Access-Reject Id 9 from 10.10.251.2:1812 to 10.225.15.1:44056 length 20
________________________________
Miller Homes Limited Registered in Scotland - SC255429
2 Lochside View, Edinburgh Park, Edinburgh, EH12 9DH
Disclaimer: The Information in this e-mail is confidential and for use by the addressee(s) only. It may also be privileged. If you are not the intended recipient please notify us immediately on +44 (0) 870 336 5000 and delete the message from your computer: you may not copy or forward it, or use or disclose its contents to any other person. We do not accept any liability or responsibility for: (1) changes made to this email after it was sent, or (2) viruses transmitted through this email or any attachment.
Miller Homes Limited <https://www.millerhomes.co.uk>
More information about the Freeradius-Users
mailing list