Authentication issues

David le Roux david.leroux at miller.co.uk
Mon Jun 27 13:51:15 UTC 2022


Hi Alan, thanks for the feedback.

>> So I used the scriptlet below to remove the host/ section and now no longer get the error message.
>>
>> if (&User-Name =~ /^host\/(.*)$/) {
>>   update request {
>>     &Cert-CN := "%{1}"
>>   }
>> }
>
>  That's good.
>
>> However I now get the following error:
>>
>> (2)     if (&User-Name =~ /^host\/(.*)$/) {
>> (2)     if (&User-Name =~ /^host\/(.*)$/)  -> TRUE
>> (2)     if (&User-Name =~ /^host\/(.*)$/)  {
>> (2)       update request {
>> (2)         EXPAND %{1}
>> (2)            --> hostname.domain.com
>> (2)         &User-Name := hostname.domain.com
>
>  That isn't what you posted above.  You're editing the User-Name, and not adding a Cert-CN attribute.

That's because when I put the unlang script above I get the following error in journalctl -xe

/etc/freeradius/3.0/sites-enabled/mh-site[27]: Unknown attribute 'Cert-CN'

Therefore I tried the following script (which is what I should have included above instead) in place which gave the above error:

 if (&User-Name =~ /^host\/(.*)$/) {
   update request {
     &User-Name := "%{1}"
   }
 }

>> (2) Found Auth-Type = eap
>> (2) Found Auth-Type = eap
>> (2) ERROR: Warning:  Found 2 auth-types on request for user 'hostname.domain.com'
>
>  Don't force "Auth-Type = eap".  It's wrong, and it will cause problems.  Let the server figure out what to do.  It will make the right decision.

Noted.

>> (2) eap: Identity does not match User-Name.  Authentication failed
>
>  Yup.
>
>> I imagine that having now modified the username it no longer matches its identity. I'm not sure how to remediate that.
>
>  Don't modify the User-Name?

I was under the impression that the previous error:

>> tls: Certificate CN (mh300416.millerextra.com) does not match specified value (host/mh300416.millerextra.com)!
>> (8) eap_tls: >>> send TLS 1.2  [length 0002]
>> (8) eap_tls: ERROR: TLS Alert write:fatal:internal error
>> tls: TLS_accept: Error in error

Required modifying the username to match the certificate?

>  Instead, add a Cert-CN, and then modify the "eap" module to check for Cert-CN, and then User-Name:
>
>       check_cert_cn = %{%{Cert-CN}:-%{User-Name}}

I've added that, but the error message before adding that and after are the same.

Here are two samples from the debug log:

(0) Received Access-Request Id 5 from 10.224.83.1:55126 to 10.10.251.2:1812 length 192
(0)   User-Name = "host/mh301251.millerextra.com"
(0)   NAS-IP-Address = 127.0.0.1
(0)   Called-Station-Id = "AC-17-C8-A1-BD-48:"
(0)   NAS-Port-Type = Ethernet
(0)   Service-Type = Framed-User
(0)   NAS-Port = 2
(0)   Calling-Station-Id = "48-4D-7E-F1-EA-19"
(0)   Acct-Session-Id = "09359BDDFCA6B78E"
(0)   Framed-MTU = 1400
(0)   EAP-Message = 0x0237002201686f73742f6d683330313235312e6d696c6c657265787472612e636f6d
(0)   Message-Authenticator = 0x03f0855274d889448947df9a9fd3424e
(0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/mh-site
(0)   authorize {
(0)     policy filter_username {
(0)       if (&User-Name) {
(0)       if (&User-Name)  -> TRUE
(0)       if (&User-Name)  {
(0)         if (&User-Name =~ / /) {
(0)         if (&User-Name =~ / /)  -> FALSE
(0)         if (&User-Name =~ /@[^@]*@/ ) {
(0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(0)         if (&User-Name =~ /\.\./ ) {
(0)         if (&User-Name =~ /\.\./ )  -> FALSE
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(0)         if (&User-Name =~ /\.$/)  {
(0)         if (&User-Name =~ /\.$/)   -> FALSE
(0)         if (&User-Name =~ /@\./)  {
(0)         if (&User-Name =~ /@\./)   -> FALSE
(0)       } # if (&User-Name)  = notfound
(0)     } # policy filter_username = notfound
(0)     [preprocess] = ok
(0)     [chap] = noop
(0) eap: Peer sent EAP Response (code 2) ID 55 length 34
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(0)     [eap] = ok
(0)   } # authorize = ok
(0) Found Auth-Type = eap
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/mh-site
(0)   Auth-Type EAP {
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Calling submodule eap_tls to process data
(0) eap_tls: (TLS) Initiating new session
(0) eap_tls: (TLS) Setting verify mode to require certificate from client
(0) eap: Sending EAP Request (code 1) ID 56 length 6
(0) eap: EAP session adding &reply:State = 0x699f699869a764e8
(0)     [eap] = handled
(0)   } # Auth-Type EAP = handled
(0) Using Post-Auth-Type Challenge
(0) Post-Auth-Type sub-section not found.  Ignoring.
(0) session-state: Saving cached attributes
(0)   Framed-MTU = 994
(0) Sent Access-Challenge Id 5 from 10.10.251.2:1812 to 10.224.83.1:55126 length 64
(0)   EAP-Message = 0x013800060d20
(0)   Message-Authenticator = 0x00000000000000000000000000000000
(0)   State = 0x699f699869a764e8d6204fd4e9d08f1d
(0) Finished request

(7) Received Access-Request Id 9 from 10.225.15.1:44056 to 10.10.251.2:1812 length 342
(7)   User-Name = "host/mh300163.millerextra.com"
(7)   NAS-IP-Address = 127.0.0.1
(7)   Called-Station-Id = "E0-55-3D-89-2E-20:"
(7)   NAS-Port-Type = Ethernet
(7)   Service-Type = Framed-User
(7)   NAS-Port = 3
(7)   Calling-Station-Id = "18-66-DA-40-C0-53"
(7)   Acct-Session-Id = "25ECF349CE9496B2"
(7)   Framed-MTU = 1400
(7)   EAP-Message = 0x022600a60d800000009c160303009701000093030362b71d68d878afc7d77f055c7dd12f0cb835715834e077f7a1dafeb097a7456200002ac02cc02bc030c02f009f009ec024c023c028c027c00ac009c014c013009d009c003d003c0035002f000a01000040000500050100000000000a00080006001d00170018000b00020100000d001400120401050102010403050302030202060106030023000000170000ff01000100
(7)   State = 0x00b4d7a90092daeea8e4e63457a93006
(7)   Message-Authenticator = 0x0fefe8ca6f7fc30bbe5980c32a7e2dfc
(7) Restoring &session-state
(7)   &session-state:Framed-MTU = 994
(7) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/mh-site
(7)   authorize {
(7)     policy filter_username {
(7)       if (&User-Name) {
(7)       if (&User-Name)  -> TRUE
(7)       if (&User-Name)  {
(7)         if (&User-Name =~ / /) {
(7)         if (&User-Name =~ / /)  -> FALSE
(7)         if (&User-Name =~ /@[^@]*@/ ) {
(7)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(7)         if (&User-Name =~ /\.\./ ) {
(7)         if (&User-Name =~ /\.\./ )  -> FALSE
(7)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(7)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(7)         if (&User-Name =~ /\.$/)  {
(7)         if (&User-Name =~ /\.$/)   -> FALSE
(7)         if (&User-Name =~ /@\./)  {
(7)         if (&User-Name =~ /@\./)   -> FALSE
(7)       } # if (&User-Name)  = notfound
(7)     } # policy filter_username = notfound
(7)     [preprocess] = ok
(7)     [chap] = noop
(7) eap: Peer sent EAP Response (code 2) ID 38 length 166
(7) eap: No EAP Start, assuming it's an on-going EAP conversation
(7)     [eap] = updated
(7)     [files] = noop
(7)     [expiration] = noop
(7)     [logintime] = noop
(7)     policy rewrite_calling_station_id {
(7)       if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(7)       if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))  -> TRUE
(7)       if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))  {
(7)         update request {
(7)           EXPAND %{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(7)              --> 18-66-da-40-c0-53
(7)           &Calling-Station-Id := 18-66-da-40-c0-53
(7)         } # update request = noop
(7)         [updated] = updated
(7)       } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))  = updated
(7)       ... skipping else: Preceding "if" was taken
(7)     } # policy rewrite_calling_station_id = updated
(7)     if (&User-Name =~ /^host\/(.*)$/) {
(7)     if (&User-Name =~ /^host\/(.*)$/)  -> TRUE
(7)     if (&User-Name =~ /^host\/(.*)$/)  {
(7)       update request {
(7)         EXPAND %{1}
(7)            --> mh300163.millerextra.com
(7)         &User-Name := mh300163.millerextra.com
(7)       } # update request = noop
(7)     } # if (&User-Name =~ /^host\/(.*)$/)  = noop
(7)     if (!EAP-Message) {
(7)     if (!EAP-Message)  -> FALSE
(7)     else {
(7) eap: Peer sent EAP Response (code 2) ID 38 length 166
(7) eap: No EAP Start, assuming it's an on-going EAP conversation
(7)       [eap] = updated
(7)     } # else = updated
(7)   } # authorize = updated
(7) Found Auth-Type = eap
(7) Found Auth-Type = eap
(7) ERROR: Warning:  Found 2 auth-types on request for user 'mh300163.millerextra.com'
(7) # Executing group from file /etc/freeradius/3.0/sites-enabled/mh-site
(7)   Auth-Type EAP {
(7) eap: Expiring EAP session with state 0xdb417641db437b52
(7) eap: Finished EAP session with state 0x00b4d7a90092daee
(7) eap: Previous EAP request found for state 0x00b4d7a90092daee, released from the list
(7) eap: Identity does not match User-Name.  Authentication failed
(7) eap: Failed in handler
(7)     [eap] = invalid
(7)   } # Auth-Type EAP = invalid
(7) Failed to authenticate the user
(7) Using Post-Auth-Type Reject
(7) Post-Auth-Type sub-section not found.  Ignoring.
(7) Login incorrect (Warning:  Found 2 auth-types on request for user 'mh300163.millerextra.com'): [mh300163.millerextra.com] (from client MWAN-10.225.15.1 port 3 cli 18-66-da-40-c0-53)
(7) Delaying response for 1.000000 seconds

(7) Sending delayed response
(7) Sent Access-Reject Id 9 from 10.10.251.2:1812 to 10.225.15.1:44056 length 20
________________________________


Miller Homes Limited Registered in Scotland - SC255429
2 Lochside View, Edinburgh Park, Edinburgh, EH12 9DH

Disclaimer: The Information in this e-mail is confidential and for use by the addressee(s) only. It may also be privileged. If you are not the intended recipient please notify us immediately on +44 (0) 870 336 5000 and delete the message from your computer: you may not copy or forward it, or use or disclose its contents to any other person. We do not accept any liability or responsibility for: (1) changes made to this email after it was sent, or (2) viruses transmitted through this email or any attachment.

Miller Homes Limited <https://www.millerhomes.co.uk>



More information about the Freeradius-Users mailing list