Ok. Fair point. Thank you Markus
----- Original Message ----- From: "Hugh Irvine" <[email protected]> To: "Markus Moeller" <[email protected]> Cc: "Sami Keski-Kasari" <[email protected]>; <[email protected]> Sent: Thursday, November 04, 2010 10:35 PM Subject: Re: [RADIATOR] WLAN EAP-TLS auth issue Hello Markus - Because most people want it enabled. regards Hugh On 5 Nov 2010, at 06:45, Markus Moeller wrote: > That solved it. Why is this not the default ? > > Thank you > Markus > > ----- Original Message ----- > From: "Sami Keski-Kasari" <[email protected]> > To: "Markus Moeller" <[email protected]>; <[email protected]> > Sent: Wednesday, November 03, 2010 9:07 PM > Subject: Re: [RADIATOR] WLAN EAP-TLS auth issue > > >> Have you tried EAPTLS_SessionResumption 0? >> >> -- >> Sami >> >> "Markus Moeller" <[email protected]> wrote: >> >>> BTW I use version 4.7. >>> ----- Original Message ----- >>> From: Markus Moeller >>> To: [email protected] >>> Sent: Wednesday, November 03, 2010 8:04 PM >>> Subject: WLAN EAP-TLS auth issue >>> >>> >>> Hi >>> >>> I am testing EAP-TLS auth with Radiator and came across the following. >>> I have two SSIDs SSID-1 and SSID-2 and want to restrict access to >>> SSID-1, SSID-2 based on the certificate issue. e.g. on SSID-1 I allow >>> certs from issue COMP-A and on SSID2 from COMP-B. What I notice is that >>> once a user lets say authenticates to SSID-1 successfully and the >>> disconnects and connects to SSID-2 the EAPTLS Hook is not called (see >>> log example). I also see the the server is not sending the CA to the >>> client. Can it be that it is not seen as a new session ? >>> >>> I have the following configuration. >>> >>> >>> # EAPTLS authentication >>> <AuthBy FILE> >>> Identifier EapTLS >>> # the file is used to check usernames (assuming EAP-TLS certificate >>> checks pass): just contains DEFAULT >>> Filename %D/wlan_users >>> EAPType TLS >>> # WLAN Additional Certificate Check >>> EAPTLS_CertificateVerifyHook file:"%D/cert_check.pl" >>> # WLAN root CAs >>> EAPTLS_CAFile %D/certs/CAa.pem >>> >>> EAPTLS_CertificateType PEM >>> # Radiator Cert >>> EAPTLS_CertificateFile %D/certs/server_cert.pem >>> # Radiator private key >>> EAPTLS_PrivateKeyFile %D/certs/server_cert.key >>> >>> EAPTLS_MaxFragmentSize 1000 >>> >>> EAPTLS_CRLCheck >>> EAPTLS_CRLFile %D/certs/crls/Root_CA.pem >>> >>> AutoMPPEKeys >>> </AuthBy> >>> >>> >>> >>> sub { >>> >>> use Crypt::OpenSSL::X509; >>> &main::log($main::LOG_DEBUG,"cert_check: enter hook"); >>> >>> # Pointer to request structure >>> my $p0 = $_[0]; # $matchdn >>> my $p1 = $_[1]; # $x509_store_ctx >>> my $p2 = $_[2]; # $cert >>> my $p3 = $_[3]; # $subject_name >>> my $p4 = $_[4]; # $subject >>> my $p = $_[5]; # $p Radius Request >>> >>> my $issuer_name = >>> &Net::SSLeay::X509_NAME_oneline(&Net::SSLeay::X509_get_issuer_name($p2)); >>> >>> my $x509 = >>> Crypt::OpenSSL::X509->new_from_string(&Net::SSLeay::PEM_get_string_X509($p2)); >>> my $extensions = &Crypt::OpenSSL::X509::extensions_by_name($x509); >>> >>> my @extendedKeyUsage = >>> &Crypt::OpenSSL::X509::Extension::extKeyUsage($extensions->{extendedKeyUsage}); >>> >>> my $eku_req_client_auth = grep { /clientAuth/ } ( @extendedKeyUsage ); >>> my $eku_req_client_any = grep { /anyExtendedKeyUsage/ } ( >>> @extendedKeyUsage ); >>> >>> >>> &main::log($main::LOG_DEBUG,"cert_check: matchDN: $p0"); >>> &main::log($main::LOG_DEBUG,"cert_check: issuer: $issuer_name"); >>> &main::log($main::LOG_DEBUG,"cert_check: Extended Key Usage strings >>> found in certificate: " . (join " & ", @extendedKeyUsage) ); >>> >>> # User certificate CA strings: >>> user_CA = 'CN=User CA, OU=Test, C=UK'; >>> >>> # bail out if cannot determine the extendedKeyUsage for this >>> certificate: >>> if ( $eku_req_client_auth == 0 && $eku_req_client_any == 0 ) { >>> &main::log($main::LOG_ERR,"cert_check: certificate presented does not >>> have required values present in Extended Key Usage field."); >>> return undef; >>> } >>> >>> # test each issuer string (which is valid for this ssid) against >>> # the issuer string in the certificate in the request: >>> my $match = 0; >>> >>> if ($issuer_name =~ /^$user_CA$/) { >>> $match++; >>> &main::log($main::LOG_DEBUG,"cert_check: Successful match for >>> issuer_name [$issuer_name] with issuer_string [$user_CA]"); >>> } >>> >>> >>> if ( $match == 0 ) { >>> &main::log($main::LOG_ERR,"cert_check: invalid certificate issuer >>> [$issuer_name] in request."); >>> return undef; >>> } >>> >>> } >>> >>> >>> Wed Nov 3 09:32:20 2010: DEBUG: Packet dump: >>> *** Received from 191.169.1.21 port 32768 .... >>> Code: Access-Request >>> Identifier: 153 >>> Authentic: +R<20><209><177><167>5/<246>y%<135><133><134><191><173> >>> Attributes: >>> User-Name = "[email protected]" >>> Calling-Station-Id = "00-22-fa-aa-bb-cc" >>> Called-Station-Id = "00-1a-e3-ab-cd-ed:SSID-1" >>> NAS-Port = 29 >>> NAS-IP-Address = 191.169.1.21 >>> NAS-Identifier = "Controller1" >>> Airespace-WLAN-Id = 7 >>> Service-Type = Framed-User >>> Framed-MTU = 1300 >>> NAS-Port-Type = Wireless-IEEE-802-11 >>> Tunnel-Type = 0:VLAN >>> Tunnel-Medium-Type = 0:802 >>> Tunnel-Private-Group-ID = 662 >>> EAP-Message = <2><3><0><18><1>[email protected] >>> Message-Authenticator = >>> L><159><3>4<221><139>8<214>g<237><153><22>v<200><197> >>> >>> Wed Nov 3 09:32:20 2010: DEBUG: Handling request with Handler >>> 'DeviceClass="WLAN"' >>> Wed Nov 3 09:32:20 2010: DEBUG: Deleting session for [email protected], >>> 191.169.1.21, 29 >>> Wed Nov 3 09:32:20 2010: DEBUG: Handling with Radius::AuthFILE: EapTLS >>> Wed Nov 3 09:32:20 2010: DEBUG: Handling with EAP: code 2, 3, 18, 1 >>> Wed Nov 3 09:32:20 2010: DEBUG: Response type 1 >>> Wed Nov 3 09:32:20 2010: DEBUG: EAP result: 3, EAP TLS Challenge >>> Wed Nov 3 09:32:20 2010: DEBUG: AuthBy FILE result: CHALLENGE, EAP TLS >>> Challenge >>> Wed Nov 3 09:32:20 2010: DEBUG: Access challenged for [email protected]: >>> EAP TLS Challenge >>> Wed Nov 3 09:32:20 2010: DEBUG: Packet dump: >>> *** Sending to 191.169.1.21 port 32768 .... >>> Code: Access-Challenge >>> Identifier: 153 >>> Authentic: <213>o<31><153>j1<190><209>Yu&<238><166><210>_<16> >>> Attributes: >>> EAP-Message = <1><4><0><6><13> >>> Message-Authenticator = >>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0> >>> >>> Wed Nov 3 09:32:21 2010: DEBUG: Packet dump: >>> *** Received from 191.169.1.21 port 32768 .... >>> Code: Access-Request >>> Identifier: 154 >>> Authentic: >k<16>#p<154><1><245><194>d<165><131><189><143><237><142> >>> Attributes: >>> User-Name = "[email protected]" >>> Calling-Station-Id = "00-22-fa-aa-bb-cc" >>> Called-Station-Id = "00-1a-e3-ab-cd-ed:SSID-1" >>> NAS-Port = 29 >>> NAS-IP-Address = 191.169.1.21 >>> NAS-Identifier = "Controller1" >>> Airespace-WLAN-Id = 7 >>> Service-Type = Framed-User >>> Framed-MTU = 1300 >>> NAS-Port-Type = Wireless-IEEE-802-11 >>> Tunnel-Type = 0:VLAN >>> Tunnel-Medium-Type = 0:802 >>> Tunnel-Private-Group-ID = 662 >>> EAP-Message = >>> <2><4><0>W<13><128><0><0><0>M<22><3><1><0>H<1><0><0>D<3><1>L<209>,%<239><146><242><12><235><234>.'<3>h<6><31><178>Y3<155><194><158><177>A<142><239><188>T}<202>J&<0><0><22><0><4><0><5><0><10><0><9><0>d<0>b<0><3><0><6><0><19><0><18><0>c<1><0><0><5><255><1><0><1><0> >>> Message-Authenticator = >>> Pg<184><167>vMr<0><24>D<189><210><248>a<241><191> >>> >>> Wed Nov 3 09:32:21 2010: DEBUG: Handling request with Handler >>> 'DeviceClass="WLAN"' >>> Wed Nov 3 09:32:21 2010: DEBUG: Deleting session for [email protected], >>> 191.169.1.21, 29 >>> Wed Nov 3 09:32:21 2010: DEBUG: Handling with Radius::AuthFILE: EapTLS >>> Wed Nov 3 09:32:21 2010: DEBUG: Handling with EAP: code 2, 4, 87, 13 >>> Wed Nov 3 09:32:21 2010: DEBUG: Response type 13 >>> Wed Nov 3 09:32:21 2010: DEBUG: EAP result: 3, EAP TLS Challenge >>> Wed Nov 3 09:32:21 2010: DEBUG: AuthBy FILE result: CHALLENGE, EAP TLS >>> Challenge >>> Wed Nov 3 09:32:21 2010: DEBUG: Access challenged for [email protected]: >>> EAP TLS Challenge >>> Wed Nov 3 09:32:21 2010: DEBUG: Packet dump: >>> *** Sending to 191.169.1.21 port 32768 .... >>> Code: Access-Challenge >>> Identifier: 154 >>> Authentic: y<241><254>,<218>r_<188>Cx<13><222>|<229>;S >>> Attributes: >>> EAP-Message = <1><5><3><242><13><192><0><0><19><9><22><3><.... >>> EAP-Message = Z<23><13>111014083918Z0i1<19>0<17><6><10><9><146>..... >>> EAP-Message = <136><11><151><141>_<172>gL<222>)<25><142><186>..... >>> EAP-Message = ........ >>> Message-Authenticator = >>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0> >>> >>> Wed Nov 3 09:32:22 2010: DEBUG: Packet dump: >>> *** Received from 191.169.1.21 port 32768 .... >>> Code: Access-Request >>> Identifier: 155 >>> Authentic: <158><174><179>V<16><12><128><213><222>6M<173><201>g?<134> >>> Attributes: >>> User-Name = "[email protected]" >>> Calling-Station-Id = "00-22-fa-aa-bb-cc" >>> Called-Station-Id = "00-1a-e3-ab-cd-ed:SSID-1" >>> NAS-Port = 29 >>> NAS-IP-Address = 191.169.1.21 >>> NAS-Identifier = "Controller1" >>> Airespace-WLAN-Id = 7 >>> Service-Type = Framed-User >>> Framed-MTU = 1300 >>> NAS-Port-Type = Wireless-IEEE-802-11 >>> Tunnel-Type = 0:VLAN >>> Tunnel-Medium-Type = 0:802 >>> Tunnel-Private-Group-ID = 662 >>> EAP-Message = <2><5><0><6><13><0> >>> Message-Authenticator = <178>[ ,i<24>f<24><<17><176>Dx]g<164> >>> >>> Wed Nov 3 09:32:22 2010: DEBUG: Handling request with Handler >>> 'DeviceClass="WLAN"' >>> Wed Nov 3 09:32:22 2010: DEBUG: Deleting session for [email protected], >>> 191.169.1.21, 29 >>> Wed Nov 3 09:32:22 2010: DEBUG: Handling with Radius::AuthFILE: EapTLS >>> Wed Nov 3 09:32:22 2010: DEBUG: Handling with EAP: code 2, 5, 6, 13 >>> Wed Nov 3 09:32:22 2010: DEBUG: Response type 13 >>> >> -- >> Sami >> >> > > > _______________________________________________ > radiator mailing list > [email protected] > http://www.open.com.au/mailman/listinfo/radiator NB: Have you read the reference manual ("doc/ref.html")? Have you searched the mailing list archive (www.open.com.au/archives/radiator)? Have you had a quick look on Google (www.google.com)? Have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening? -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows, MacOS X. Includes support for reliable RADIUS transport (RadSec), and DIAMETER translation agent. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. _______________________________________________ radiator mailing list [email protected] http://www.open.com.au/mailman/listinfo/radiator
