DER format in TLS certificates

Iñigo Vicente ivicente at bexencardio.com
Mon Mar 7 13:35:12 UTC 2022 

I have configured etc/raddb/mods-available/eap eap {
default_eap_type = tls
}
peap {
default_eap_type = tls
}

I have this warning:
6) eap_tls: WARNING: (TLS) EAP Total received record fragments (91
bytes), does not equal expected expected data length (0 bytes)

And this is my log:

(12) Received Access-Request Id 245 from 172.17.0.1:50346 to 172.17.0.2:1812
 length 228

(12)   User-Name = "bob"

(12)   NAS-IP-Address = 192.168.2.1

(12)   NAS-Identifier = "RalinkAP0"

(12)   NAS-Port = 0

(12)   Called-Station-Id = "04-D9-F5-57-18-30"

(12)   Calling-Station-Id = "00-0B-57-F6-1C-D5"

(12)   Framed-MTU = 1400

(12)   NAS-Port-Type = Wireless-802.11

(12)   EAP-Message =
0x0208005c0d00011603030050b26cf6b6226b3980df1fbf03079d6cf034ebba09a493c5f51e2b3c95ac12d5366d8429430577a30f6ec4647169c7ca70a2aed956dfab9473c0c3f7f00f8eff475db3f3fa5a27aa592bfc598b75310dff

(12)   State = 0x65c4754763cc78ec7a205a84609f1783

(12)   Message-Authenticator = 0xa68af9191955bedeeab1daf3abfca207

(12) Restoring &session-state

(12)   &session-state:Framed-MTU = 994

(12)   &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3
Handshake, ClientHello"

(12)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, ServerHello"

(12)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, Certificate"

(12)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, CertificateRequest"

(12)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
Handshake, ServerHelloDone"

(12) # Executing section authorize from file
/etc/freeradius/sites-enabled/default

(12)   authorize {

(12)     policy filter_username {

(12)       if (&User-Name) {

(12)       if (&User-Name)  -> TRUE

(12)       if (&User-Name)  {

(12)         if (&User-Name =~ / /) {

(12)         if (&User-Name =~ / /)  -> FALSE

(12)         if (&User-Name =~ /@[^@]*@/ ) {

(12)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE

(12)         if (&User-Name =~ /\.\./ ) {

(12)         if (&User-Name =~ /\.\./ )  -> FALSE

(12)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {

(12)         if ((&User-Name =~ /@/) && (&User-Name !~
/@(.+)\.(.+)$/))   -> FALSE

(12)         if (&User-Name =~ /\.$/)  {

(12)         if (&User-Name =~ /\.$/)   -> FALSE

(12)         if (&User-Name =~ /@\./)  {

(12)         if (&User-Name =~ /@\./)   -> FALSE

(12)       } # if (&User-Name)  = notfound

(12)     } # policy filter_username = notfound

(12)     [preprocess] = ok

(12)     [chap] = noop

(12)     [mschap] = noop

(12)     [digest] = noop

(12) suffix: Checking for suffix after "@"

(12) suffix: No '@' in User-Name = "bob", looking up realm NULL

(12) suffix: No such realm "NULL"

(12)     [suffix] = noop

(12) eap: Peer sent EAP Response (code 2) ID 8 length 92

(12) eap: No EAP Start, assuming it's an on-going EAP conversation

(12)     [eap] = updated

(12) files: users: Matched entry bob at line 87

(12)     [files] = ok

(12)     [expiration] = noop

(12)     [logintime] = noop

(12) pap: WARNING: Auth-Type already set.  Not setting to PAP

(12)     [pap] = noop

(12)   } # authorize = updated

(12) Found Auth-Type = eap

(12) # Executing group from file /etc/freeradius/sites-enabled/default

(12)   authenticate {

(12) eap: Expiring EAP session with state 0x83c0258587c628a6

(12) eap: Finished EAP session with state 0x65c4754763cc78ec

(12) eap: Previous EAP request found for state 0x65c4754763cc78ec,
released from the list

(12) eap: Peer sent packet with method EAP TLS (13)

(12) eap: Calling submodule eap_tls to process data

(12) eap_tls: (TLS) EAP Got final fragment (86 bytes)

(12) eap_tls: (TLS) EAP Done initial handshake

(12) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write server done

(12) eap_tls: (TLS) recv TLS 1.2 Handshake, Certificate

(12) eap_tls: (TLS) send TLS 1.2 Alert, fatal decode_error

(12) eap_tls: ERROR: (TLS) Alert write:fatal:decode error

(12) eap_tls: ERROR: (TLS) Server : Error in error

(12) eap_tls: ERROR: (TLS) Failed reading from OpenSSL:
error:1417C087:SSL routines:tls_process_client_certificate:cert length
mismatch

(12) eap_tls: ERROR: (TLS) System call (I/O) error (-1)

(12) eap_tls: ERROR: (TLS) EAP Receive handshake failed during operation

(12) eap_tls: ERROR: [eaptls process] = fail

(12) eap: ERROR: Failed continuing EAP TLS (13) session.  EAP sub-module failed

(12) eap: Sending EAP Failure (code 4) ID 8 length 4

(12) eap: Failed in EAP select

(12)     [eap] = invalid

(12)   } # authenticate = invalid

(12) Failed to authenticate the user

(12) Using Post-Auth-Type Reject

(12) # Executing group from file /etc/freeradius/sites-enabled/default

(12)   Post-Auth-Type REJECT {

(12) attr_filter.access_reject: EXPAND %{User-Name}

(12) attr_filter.access_reject:    --> bob

(12) attr_filter.access_reject: Matched entry DEFAULT at line 11

(12)     [attr_filter.access_reject] = updated

(12)     [eap] = noop

(12)     policy remove_reply_message_if_eap {

(12)       if (&reply:EAP-Message && &reply:Reply-Message) {

(12)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE

(12)       else {

(12)         [noop] = noop

(12)       } # else = noop

(12)     } # policy remove_reply_message_if_eap = noop

(12)   } # Post-Auth-Type REJECT = updated

(12) Delaying response for 1.000000 seconds

Waking up in 0.3 seconds.

Waking up in 0.6 seconds.

(12) (12) Discarding duplicate request from client desktop port 50346
- ID: 245 due to delayed response

(12) Sending delayed response

(12) Sent Access-Reject Id 245 from 172.17.0.2:1812 to 172.17.0.1:50346
 length 44

(12)   EAP-Message = 0x04080004

(12)   Message-Authenticator = 0x00000000000000000000000000000000

Waking up in 3.9 seconds.

(9) Cleaning up request packet ID 242 with timestamp +53

(10) Cleaning up request packet ID 243 with timestamp +53

(11) Cleaning up request packet ID 244 with timestamp +53

(12) Cleaning up request packet ID 245 with timestamp +53

Ready to process requests

Instead the connection with PEAP-MSCHAP is correct.

El lun, 7 mar 2022 a las 13:39, Alan DeKok (<aland at deployingradius.com>)
escribió:

> On Mar 7, 2022, at 4:19 AM, Iñigo Vicente <ivicente at bexencardio.com>
> wrote:
> >
> > What changes do I have to make to configure freeradius with TLS?
>
>   Edit the configuration files.
>
>   There's lots of documentation and examples.
>
>   If you have a *specific* question, ask that.  Questions like "How can I
> do stuff" are vague and useless.
>
>   Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>

More information about the Freeradius-Users mailing list