EAP-TLS Signature Check Failure

classic Classic list List threaded Threaded
8 messages Options
| Threaded
Open this post in threaded view
|

EAP-TLS Signature Check Failure

Users mailing list
Hi there,

Newbie here, so please be gentle :)

I've been setting up a FreeRADIUS server for a client, so they can
(finally!) break away from AD/NPS-based RADIUS (ugh) for company WiFi. I
have SCEP certificates pushed out to all machines, and I have iPhones
connecting perfectly (transparent connection to test SSID with
successful RADIUS validation). But I am banging my head against the wall
with Windows 10 devices...

Certificates valid (from the same source, same profile), CA configured
correctly, it _should_ be working (as iOS can connect), but freeradius
-X gives me this:

...
(42) eap_tls: ocsp: Cert status: good
(42) eap_tls: ocsp: Certificate is valid
(42) eap_tls: TLS_accept: SSLv3/TLS read client certificate
(42) eap_tls: <<< recv TLS 1.2  [length 0066]
(42) eap_tls: TLS_accept: SSLv3/TLS read client key exchange
(42) eap_tls: <<< recv TLS 1.2  [length 0108]
(42) eap_tls: >>> send TLS 1.2  [length 0002]
(42) eap_tls: ERROR: TLS Alert write:fatal:decrypt error

(42) eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read)
(42) eap_tls: ERROR: error:0407E086:rsa
routines:RSA_verify_PKCS1_PSS_mgf1:last octet invalid
(42) eap_tls: ERROR: error:1417B07B:SSL
routines:tls_process_cert_verify:bad signature
(42) eap_tls: ERROR: System call (I/O) error (-1)
(42) eap_tls: ERROR: TLS receive handshake failed during operation
(42) eap_tls: ERROR: [eaptls process] = fail
(42) eap: ERROR: Failed continuing EAP TLS (13) session.  EAP sub-module
failed
(42) eap: Sending EAP Failure (code 4) ID 187 length 4
...

Sadly I can't work out _which_ signature it's having a problem with -
openssl verify is fine with the certificate and CA. The correct
certificate is being sent (I can see that elsewhere in the output), EKU
is all good.

Any pointers would be really appreciated - I'm not sure at the moment
whether to continue squinting at FreeRADIUS config, Windows config, SCEP
certificate properties, or what!

FreeRADIUS 3.0.21
OpenSSL 1.1.1
Windows fully updated

I have different CAs for FreeRADIUS (Let's Encrypt) and SCEP
(self-signed), but I understand this is fine, and as I mentioned it
works for iOS.

Has anyone seen this before? I've hunted all over the Internet, but
nothing quite matches :(

Thanks in advance.

--
Peter Bance
Information Security Adviser
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: EAP-TLS Signature Check Failure

Alan DeKok-2
On Jun 10, 2020, at 2:24 PM, Peter Bance via Freeradius-Users <[hidden email]> wrote:
> I've been setting up a FreeRADIUS server for a client, so they can (finally!) break away from AD/NPS-based RADIUS (ugh) for company WiFi. I have SCEP certificates pushed out to all machines, and I have iPhones connecting perfectly (transparent connection to test SSID with successful RADIUS validation). But I am banging my head against the wall with Windows 10 devices...

  <sigh> Windows....

> Certificates valid (from the same source, same profile), CA configured correctly, it _should_ be working (as iOS can connect), but freeradius -X gives me this:
>
> ...
> (42) eap_tls: ocsp: Cert status: good
> (42) eap_tls: ocsp: Certificate is valid
> (42) eap_tls: TLS_accept: SSLv3/TLS read client certificate
> (42) eap_tls: <<< recv TLS 1.2  [length 0066]
> (42) eap_tls: TLS_accept: SSLv3/TLS read client key exchange
> (42) eap_tls: <<< recv TLS 1.2  [length 0108]
> (42) eap_tls: >>> send TLS 1.2  [length 0002]
> (42) eap_tls: ERROR: TLS Alert write:fatal:decrypt error
>
> (42) eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read)
> (42) eap_tls: ERROR: error:0407E086:rsa routines:RSA_verify_PKCS1_PSS_mgf1:last octet invalid
> (42) eap_tls: ERROR: error:1417B07B:SSL routines:tls_process_cert_verify:bad signature

  I must admit I haven't seen that very often.  In fact, I can't recall seeing it before.

> Sadly I can't work out _which_ signature it's having a problem with - openssl verify is fine with the certificate and CA. The correct certificate is being sent (I can see that elsewhere in the output), EKU is all good.

  You can use Wireshark to double-check the RADIUS / EAP exchange.  I suspect it will also complain.
 
> Any pointers would be really appreciated - I'm not sure at the moment whether to continue squinting at FreeRADIUS config, Windows config, SCEP certificate properties, or what!
>
> FreeRADIUS 3.0.21
> OpenSSL 1.1.1
> Windows fully updated
>
> I have different CAs for FreeRADIUS (Let's Encrypt) and SCEP (self-signed), but I understand this is fine, and as I mentioned it works for iOS.
>
> Has anyone seen this before? I've hunted all over the Internet, but nothing quite matches :(

  Yeah.  It's weird.  TBH, I would put it down to a Windows issue.  I can't see how it's a FreeRADIUS issue.  Which means it's rather more complex to fix.

  Maybe it's an issue with the SCEP certificates, or the Windows implementation of them.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: EAP-TLS Signature Check Failure

Users mailing list
Thanks, Alan.

That helps eliminate one rabbit hole. I shall dig into Windows WPA/EAP and see what new “proprietary mechanism” they’ve invented now 😊

---
Peter Bance


> On 10 Jun 2020, at 22:02, Alan DeKok <[hidden email]> wrote:
>
> On Jun 10, 2020, at 2:24 PM, Peter Bance via Freeradius-Users <[hidden email]> wrote:
>> I've been setting up a FreeRADIUS server for a client, so they can (finally!) break away from AD/NPS-based RADIUS (ugh) for company WiFi. I have SCEP certificates pushed out to all machines, and I have iPhones connecting perfectly (transparent connection to test SSID with successful RADIUS validation). But I am banging my head against the wall with Windows 10 devices...
>
>  <sigh> Windows....
>
>> Certificates valid (from the same source, same profile), CA configured correctly, it _should_ be working (as iOS can connect), but freeradius -X gives me this:
>>
>> ...
>> (42) eap_tls: ocsp: Cert status: good
>> (42) eap_tls: ocsp: Certificate is valid
>> (42) eap_tls: TLS_accept: SSLv3/TLS read client certificate
>> (42) eap_tls: <<< recv TLS 1.2  [length 0066]
>> (42) eap_tls: TLS_accept: SSLv3/TLS read client key exchange
>> (42) eap_tls: <<< recv TLS 1.2  [length 0108]
>> (42) eap_tls: >>> send TLS 1.2  [length 0002]
>> (42) eap_tls: ERROR: TLS Alert write:fatal:decrypt error
>>
>> (42) eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read)
>> (42) eap_tls: ERROR: error:0407E086:rsa routines:RSA_verify_PKCS1_PSS_mgf1:last octet invalid
>> (42) eap_tls: ERROR: error:1417B07B:SSL routines:tls_process_cert_verify:bad signature
>
>  I must admit I haven't seen that very often.  In fact, I can't recall seeing it before.
>
>> Sadly I can't work out _which_ signature it's having a problem with - openssl verify is fine with the certificate and CA. The correct certificate is being sent (I can see that elsewhere in the output), EKU is all good.
>
>  You can use Wireshark to double-check the RADIUS / EAP exchange.  I suspect it will also complain.
>
>> Any pointers would be really appreciated - I'm not sure at the moment whether to continue squinting at FreeRADIUS config, Windows config, SCEP certificate properties, or what!
>>
>> FreeRADIUS 3.0.21
>> OpenSSL 1.1.1
>> Windows fully updated
>>
>> I have different CAs for FreeRADIUS (Let's Encrypt) and SCEP (self-signed), but I understand this is fine, and as I mentioned it works for iOS.
>>
>> Has anyone seen this before? I've hunted all over the Internet, but nothing quite matches :(
>
>  Yeah.  It's weird.  TBH, I would put it down to a Windows issue.  I can't see how it's a FreeRADIUS issue.  Which means it's rather more complex to fix.
>
>  Maybe it's an issue with the SCEP certificates, or the Windows implementation of them.
>
>  Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: EAP-TLS Signature Check Failure

Users mailing list
In reply to this post by Alan DeKok-2
On 2020-06-10 22:01, Alan DeKok wrote:

> On Jun 10, 2020, at 2:24 PM, Peter Bance via Freeradius-Users
> <[hidden email]> wrote:
>> Has anyone seen this before? I've hunted all over the Internet, but
>> nothing quite matches :(
>
>   Yeah.  It's weird.  TBH, I would put it down to a Windows issue.  I
> can't see how it's a FreeRADIUS issue.  Which means it's rather more
> complex to fix.
>
>   Maybe it's an issue with the SCEP certificates, or the Windows
> implementation of them.

I'm afraid I've been all around the Windows and certificate side, and
I've circled back to FreeRADIUS :( I probably should have included the
full session log before (sadly I didn't think to save a successful entry
from iOS to compare it to, I'll try and get one when I next can). I've
pasted below (I don't think I need to "redact" anything here other than
the SSID and OUs, which identified the client).

One thing strikes me, and the reason I'm being a nuisance here again (!)
- the signature validation is failing "RSA_verify_PKCS1_PSS_mgf1", but
both the client and CA certificates are signed with
"sha256WithRSAEncryption", and the session is TLS 1.2. However, the very
first client request asks for TLS 1.3 (subsequently downgraded to 1.2).

Could FreeRADIUS be "remembering" the initial 1.3, and thus trying an
invalid signature validation on the certificate(s)?

I've tried going through the source code, but I confess my C and TLS
skills aren't up to it :-(

Still happy to revert back to peering at Windows and SCEP configuration
if this is a red herring.

(36) Received Access-Request Id 17 from 213.86.126.94:34562 to
10.0.0.149:1812 length 322
(36)   User-Name = "host/4e806561-02db-4ede-847d-4596d2ec7d20"
(36)   NAS-Identifier = "88866e42-06c5-4f07-90b5-b72e5da2ea53"
(36)   Called-Station-Id = "5C-5B-35-C3-B7-A3:XXXXX"
(36)   NAS-Port-Type = Wireless-802.11
(36)   Service-Type = Framed-User
(36)   Calling-Station-Id = "20-79-18-BC-9E-2C"
(36)   Connect-Info = "CONNECT 0Mbps 802.11b"
(36)   Acct-Session-Id = "418B05EFDADE98C1"
(36)   Acct-Multi-Session-Id = "596BF9F81F35E201"
(36)   Mobility-Domain-Id = 28294
(36)   WLAN-Pairwise-Cipher = 1027076
(36)   WLAN-Group-Cipher = 1027076
(36)   WLAN-AKM-Suite = 1027075
(36)   Framed-MTU = 1200
(36)   EAP-Message =
0x02b5002e01686f73742f34653830363536312d303264622d346564652d383437642d343539366432656337643230
(36)   NAS-IP-Address = 192.168.39.11
(36)   Message-Authenticator = 0xb7f8b7fff9b96de0ac6006c01dec7e60
(36) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(36)   authorize {
(36)     policy filter_username {
(36)       if (&User-Name) {
(36)       if (&User-Name)  -> TRUE
(36)       if (&User-Name)  {
(36)         if (&User-Name =~ / /) {
(36)         if (&User-Name =~ / /)  -> FALSE
(36)         if (&User-Name =~ /@[^@]*@/ ) {
(36)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(36)         if (&User-Name =~ /\.\./ ) {
(36)         if (&User-Name =~ /\.\./ )  -> FALSE
(36)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  
{
(36)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  
  -> FALSE
(36)         if (&User-Name =~ /\.$/)  {
(36)         if (&User-Name =~ /\.$/)   -> FALSE
(36)         if (&User-Name =~ /@\./)  {
(36)         if (&User-Name =~ /@\./)   -> FALSE
(36)       } # if (&User-Name)  = notfound
(36)     } # policy filter_username = notfound
(36)     [preprocess] = ok
(36)     [chap] = noop
(36)     [mschap] = noop
(36)     [digest] = noop
(36) suffix: Checking for suffix after "@"
(36) suffix: No '@' in User-Name =
"host/4e806561-02db-4ede-847d-4596d2ec7d20", looking up realm NULL
(36) suffix: No such realm "NULL"
(36)     [suffix] = noop
(36) eap: Peer sent EAP Response (code 2) ID 181 length 46
(36) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(36)     [eap] = ok
(36)   } # authorize = ok
(36) Found Auth-Type = eap
(36) # Executing group from file /etc/freeradius/sites-enabled/default
(36)   authenticate {
(36) eap: Peer sent packet with method EAP Identity (1)
(36) eap: Calling submodule eap_tls to process data
(36) eap_tls: Initiating new TLS session
(36) eap_tls: Setting verify mode to require certificate from client
(36) eap_tls: [eaptls start] = request
(36) eap: Sending EAP Request (code 1) ID 182 length 6
(36) eap: EAP session adding &reply:State = 0x1648a20f16feaff0
(36)     [eap] = handled
(36)   } # authenticate = handled
(36) Using Post-Auth-Type Challenge
(36) # Executing group from file /etc/freeradius/sites-enabled/default
(36)   Challenge { ... } # empty sub-section is ignored
(36) Sent Access-Challenge Id 17 from 10.0.0.149:1812 to
213.86.126.94:34562 length 0
(36)   EAP-Message = 0x01b600060d20
(36)   Message-Authenticator = 0x00000000000000000000000000000000
(36)   State = 0x1648a20f16feaff06276a0f2502d05c3
(36) Finished request
Waking up in 4.9 seconds.
(37) Received Access-Request Id 18 from 213.86.126.94:34562 to
10.0.0.149:1812 length 466
(37)   User-Name = "host/4e806561-02db-4ede-847d-4596d2ec7d20"
(37)   NAS-Identifier = "88866e42-06c5-4f07-90b5-b72e5da2ea53"
(37)   Called-Station-Id = "5C-5B-35-C3-B7-A3:XXXXX"
(37)   NAS-Port-Type = Wireless-802.11
(37)   Service-Type = Framed-User
(37)   Calling-Station-Id = "20-79-18-BC-9E-2C"
(37)   Connect-Info = "CONNECT 0Mbps 802.11b"
(37)   Acct-Session-Id = "418B05EFDADE98C1"
(37)   Acct-Multi-Session-Id = "596BF9F81F35E201"
(37)   Mobility-Domain-Id = 28294
(37)   WLAN-Pairwise-Cipher = 1027076
(37)   WLAN-Group-Cipher = 1027076
(37)   WLAN-AKM-Suite = 1027075
(37)   Framed-MTU = 1200
(37)   EAP-Message =
0x02b600ac0d80000000a2160303009d0100009903035ee0db848a7a6dc35056a37d7a0774fd13cea959920da2632840ac17f72d2d8800002ac02cc02bc030c02f009f009ec024c023c028c027c00ac009c014c013009d009c003d003c0035002f000a01000046000500050100000000000a00080006001d00170018000b00020100000d001a00180804080508060401050102010403050302030202060106030023000000170000ff01000100
(37)   State = 0x1648a20f16feaff06276a0f2502d05c3
(37)   NAS-IP-Address = 192.168.39.11
(37)   Message-Authenticator = 0x73c6f19cff528e55409457ef55bf064d
(37) session-state: No cached attributes
(37) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(37)   authorize {
(37)     policy filter_username {
(37)       if (&User-Name) {
(37)       if (&User-Name)  -> TRUE
(37)       if (&User-Name)  {
(37)         if (&User-Name =~ / /) {
(37)         if (&User-Name =~ / /)  -> FALSE
(37)         if (&User-Name =~ /@[^@]*@/ ) {
(37)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(37)         if (&User-Name =~ /\.\./ ) {
(37)         if (&User-Name =~ /\.\./ )  -> FALSE
(37)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  
{
(37)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  
  -> FALSE
(37)         if (&User-Name =~ /\.$/)  {
(37)         if (&User-Name =~ /\.$/)   -> FALSE
(37)         if (&User-Name =~ /@\./)  {
(37)         if (&User-Name =~ /@\./)   -> FALSE
(37)       } # if (&User-Name)  = notfound
(37)     } # policy filter_username = notfound
(37)     [preprocess] = ok
(37)     [chap] = noop
(37)     [mschap] = noop
(37)     [digest] = noop
(37) suffix: Checking for suffix after "@"
(37) suffix: No '@' in User-Name =
"host/4e806561-02db-4ede-847d-4596d2ec7d20", looking up realm NULL
(37) suffix: No such realm "NULL"
(37)     [suffix] = noop
(37) eap: Peer sent EAP Response (code 2) ID 182 length 172
(37) eap: No EAP Start, assuming it's an on-going EAP conversation
(37)     [eap] = updated
(37)     [files] = noop
(37)     [expiration] = noop
(37)     [logintime] = noop
(37)     [pap] = noop
(37)   } # authorize = updated
(37) Found Auth-Type = eap
(37) # Executing group from file /etc/freeradius/sites-enabled/default
(37)   authenticate {
(37) eap: Expiring EAP session with state 0x1648a20f16feaff0
(37) eap: Finished EAP session with state 0x1648a20f16feaff0
(37) eap: Previous EAP request found for state 0x1648a20f16feaff0,
released from the list
(37) eap: Peer sent packet with method EAP TLS (13)
(37) eap: Calling submodule eap_tls to process data
(37) eap_tls: Continuing EAP-TLS
(37) eap_tls: Peer indicated complete TLS record size will be 162 bytes
(37) eap_tls: Got complete TLS record (162 bytes)
(37) eap_tls: [eaptls verify] = length included
(37) eap_tls: (other): before SSL initialization
(37) eap_tls: TLS_accept: before SSL initialization
(37) eap_tls: TLS_accept: before SSL initialization
(37) eap_tls: <<< recv TLS 1.3  [length 009d]
(37) eap_tls: TLS_accept: SSLv3/TLS read client hello
(37) eap_tls: >>> send TLS 1.2  [length 003d]
(37) eap_tls: TLS_accept: SSLv3/TLS write server hello
(37) eap_tls: >>> send TLS 1.2  [length 0a02]
(37) eap_tls: TLS_accept: SSLv3/TLS write certificate
(37) eap_tls: >>> send TLS 1.2  [length 016d]
(37) eap_tls: TLS_accept: SSLv3/TLS write key exchange
(37) eap_tls: >>> send TLS 1.2  [length 00a2]
(37) eap_tls: TLS_accept: SSLv3/TLS write certificate request
(37) eap_tls: >>> send TLS 1.2  [length 0004]
(37) eap_tls: TLS_accept: SSLv3/TLS write server done
(37) eap_tls: TLS_accept: Need to read more data: SSLv3/TLS write server
done
(37) eap_tls: TLS - In Handshake Phase
(37) eap_tls: TLS - got 3179 bytes of data
(37) eap_tls: [eaptls process] = handled
(37) eap: Sending EAP Request (code 1) ID 183 length 1004
(37) eap: EAP session adding &reply:State = 0x1648a20f17ffaff0
(37)     [eap] = handled
(37)   } # authenticate = handled
(37) Using Post-Auth-Type Challenge
(37) # Executing group from file /etc/freeradius/sites-enabled/default
(37)   Challenge { ... } # empty sub-section is ignored
(37) Sent Access-Challenge Id 18 from 10.0.0.149:1812 to
213.86.126.94:34562 length 0
(37)   EAP-Message =
0x01b703ec0dc000000c6b160303003d0200003903034da8e59444d2f7b42d09580329dc57c697cca1d2ff4e72086a030ee408cd5e7200c030000011ff01000100000b000403000102001700001603030a020b0009fe0009fb00055f3082055b30820443a0030201020212043cc4ae5b10feadec7f7433bdae6f3ef13c300d06092a864886f70d01010b0500304a310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074312330210603550403131a4c6574277320456e637279707420417574686f72697479205833301e170d3230303530393133313235305a170d3230303830373133313235305a301c311a3018060355040313117261646975732e6f6e657765622e6e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100c1c892aa1a10709a855fffbf838425456da3402f403214b5be48613cfdef23f94b876f2d3fb63757e1700920bd8a44b5b5667760a5c67db9a5e82456fc7ec1652a
(37)   Message-Authenticator = 0x00000000000000000000000000000000
(37)   State = 0x1648a20f17ffaff06276a0f2502d05c3
(37) Finished request
Waking up in 4.8 seconds.
(38) Received Access-Request Id 19 from 213.86.126.94:34562 to
10.0.0.149:1812 length 300
(38)   User-Name = "host/4e806561-02db-4ede-847d-4596d2ec7d20"
(38)   NAS-Identifier = "88866e42-06c5-4f07-90b5-b72e5da2ea53"
(38)   Called-Station-Id = "5C-5B-35-C3-B7-A3:XXXXX"
(38)   NAS-Port-Type = Wireless-802.11
(38)   Service-Type = Framed-User
(38)   Calling-Station-Id = "20-79-18-BC-9E-2C"
(38)   Connect-Info = "CONNECT 0Mbps 802.11b"
(38)   Acct-Session-Id = "418B05EFDADE98C1"
(38)   Acct-Multi-Session-Id = "596BF9F81F35E201"
(38)   Mobility-Domain-Id = 28294
(38)   WLAN-Pairwise-Cipher = 1027076
(38)   WLAN-Group-Cipher = 1027076
(38)   WLAN-AKM-Suite = 1027075
(38)   Framed-MTU = 1200
(38)   EAP-Message = 0x02b700060d00
(38)   State = 0x1648a20f17ffaff06276a0f2502d05c3
(38)   NAS-IP-Address = 192.168.39.11
(38)   Message-Authenticator = 0x08a71d99f1461ff34619361b8f160f0b
(38) session-state: No cached attributes
(38) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(38)   authorize {
(38)     policy filter_username {
(38)       if (&User-Name) {
(38)       if (&User-Name)  -> TRUE
(38)       if (&User-Name)  {
(38)         if (&User-Name =~ / /) {
(38)         if (&User-Name =~ / /)  -> FALSE
(38)         if (&User-Name =~ /@[^@]*@/ ) {
(38)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(38)         if (&User-Name =~ /\.\./ ) {
(38)         if (&User-Name =~ /\.\./ )  -> FALSE
(38)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  
{
(38)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  
  -> FALSE
(38)         if (&User-Name =~ /\.$/)  {
(38)         if (&User-Name =~ /\.$/)   -> FALSE
(38)         if (&User-Name =~ /@\./)  {
(38)         if (&User-Name =~ /@\./)   -> FALSE
(38)       } # if (&User-Name)  = notfound
(38)     } # policy filter_username = notfound
(38)     [preprocess] = ok
(38)     [chap] = noop
(38)     [mschap] = noop
(38)     [digest] = noop
(38) suffix: Checking for suffix after "@"
(38) suffix: No '@' in User-Name =
"host/4e806561-02db-4ede-847d-4596d2ec7d20", looking up realm NULL
(38) suffix: No such realm "NULL"
(38)     [suffix] = noop
(38) eap: Peer sent EAP Response (code 2) ID 183 length 6
(38) eap: No EAP Start, assuming it's an on-going EAP conversation
(38)     [eap] = updated
(38)     [files] = noop
(38)     [expiration] = noop
(38)     [logintime] = noop
(38)     [pap] = noop
(38)   } # authorize = updated
(38) Found Auth-Type = eap
(38) # Executing group from file /etc/freeradius/sites-enabled/default
(38)   authenticate {
(38) eap: Expiring EAP session with state 0x1648a20f17ffaff0
(38) eap: Finished EAP session with state 0x1648a20f17ffaff0
(38) eap: Previous EAP request found for state 0x1648a20f17ffaff0,
released from the list
(38) eap: Peer sent packet with method EAP TLS (13)
(38) eap: Calling submodule eap_tls to process data
(38) eap_tls: Continuing EAP-TLS
(38) eap_tls: Peer ACKed our handshake fragment
(38) eap_tls: [eaptls verify] = request
(38) eap_tls: [eaptls process] = handled
(38) eap: Sending EAP Request (code 1) ID 184 length 1004
(38) eap: EAP session adding &reply:State = 0x1648a20f14f0aff0
(38)     [eap] = handled
(38)   } # authenticate = handled
(38) Using Post-Auth-Type Challenge
(38) # Executing group from file /etc/freeradius/sites-enabled/default
(38)   Challenge { ... } # empty sub-section is ignored
(38) Sent Access-Challenge Id 19 from 10.0.0.149:1812 to
213.86.126.94:34562 length 0
(38)   EAP-Message =
0x01b803ec0dc000000c6bd4798b4fa1bf9c958ac37216f1694a2b4042382d6026aeee4392070acd18022100e7ea21cb0d8394476da2408f405a23d87babc7b606a9ac6bb3d6744b5eff483300770007b75c1be57d68fff1b0c61d2315c7bae6577c5794b76aeebc613a1a69d3a21c00000171f9c812930000040300483046022100ac0f7c6b9ca32e74bc40ef846ba40dadf56f6e773a2d7094ec627bf5115eb21c022100a323fe33fd2c9e947cc2e0261552071bcdd72d458e9ed11d2658044474264b00300d06092a864886f70d01010b05000382010100123d1e454bc1060dda634c3bcb89b48fddee738f842a62ee85f55a8cab377a76688777d8310dc752b5ca53c5dce0ebe185d00e9809cb8d915ad04e34892417e174ec1b4af887be6c1ea2c10c2f652445f6a47973731455507783a640108ac750a5a00caa4f017ed472ebed7657f1e2036fc544317ffcffa299124a13fb7193d9abcc3d208cc0e53d75b381ba9a5337623266aa9de0098642413c5518ee4279
(38)   Message-Authenticator = 0x00000000000000000000000000000000
(38)   State = 0x1648a20f14f0aff06276a0f2502d05c3
(38) Finished request
Waking up in 4.7 seconds.
(39) Received Access-Request Id 20 from 213.86.126.94:34562 to
10.0.0.149:1812 length 300
(39)   User-Name = "host/4e806561-02db-4ede-847d-4596d2ec7d20"
(39)   NAS-Identifier = "88866e42-06c5-4f07-90b5-b72e5da2ea53"
(39)   Called-Station-Id = "5C-5B-35-C3-B7-A3:XXXXX"
(39)   NAS-Port-Type = Wireless-802.11
(39)   Service-Type = Framed-User
(39)   Calling-Station-Id = "20-79-18-BC-9E-2C"
(39)   Connect-Info = "CONNECT 0Mbps 802.11b"
(39)   Acct-Session-Id = "418B05EFDADE98C1"
(39)   Acct-Multi-Session-Id = "596BF9F81F35E201"
(39)   Mobility-Domain-Id = 28294
(39)   WLAN-Pairwise-Cipher = 1027076
(39)   WLAN-Group-Cipher = 1027076
(39)   WLAN-AKM-Suite = 1027075
(39)   Framed-MTU = 1200
(39)   EAP-Message = 0x02b800060d00
(39)   State = 0x1648a20f14f0aff06276a0f2502d05c3
(39)   NAS-IP-Address = 192.168.39.11
(39)   Message-Authenticator = 0xfbb8a5a45c711461cc59935691116b83
(39) session-state: No cached attributes
(39) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(39)   authorize {
(39)     policy filter_username {
(39)       if (&User-Name) {
(39)       if (&User-Name)  -> TRUE
(39)       if (&User-Name)  {
(39)         if (&User-Name =~ / /) {
(39)         if (&User-Name =~ / /)  -> FALSE
(39)         if (&User-Name =~ /@[^@]*@/ ) {
(39)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(39)         if (&User-Name =~ /\.\./ ) {
(39)         if (&User-Name =~ /\.\./ )  -> FALSE
(39)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  
{
(39)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  
  -> FALSE
(39)         if (&User-Name =~ /\.$/)  {
(39)         if (&User-Name =~ /\.$/)   -> FALSE
(39)         if (&User-Name =~ /@\./)  {
(39)         if (&User-Name =~ /@\./)   -> FALSE
(39)       } # if (&User-Name)  = notfound
(39)     } # policy filter_username = notfound
(39)     [preprocess] = ok
(39)     [chap] = noop
(39)     [mschap] = noop
(39)     [digest] = noop
(39) suffix: Checking for suffix after "@"
(39) suffix: No '@' in User-Name =
"host/4e806561-02db-4ede-847d-4596d2ec7d20", looking up realm NULL
(39) suffix: No such realm "NULL"
(39)     [suffix] = noop
(39) eap: Peer sent EAP Response (code 2) ID 184 length 6
(39) eap: No EAP Start, assuming it's an on-going EAP conversation
(39)     [eap] = updated
(39)     [files] = noop
(39)     [expiration] = noop
(39)     [logintime] = noop
(39)     [pap] = noop
(39)   } # authorize = updated
(39) Found Auth-Type = eap
(39) # Executing group from file /etc/freeradius/sites-enabled/default
(39)   authenticate {
(39) eap: Expiring EAP session with state 0x1648a20f14f0aff0
(39) eap: Finished EAP session with state 0x1648a20f14f0aff0
(39) eap: Previous EAP request found for state 0x1648a20f14f0aff0,
released from the list
(39) eap: Peer sent packet with method EAP TLS (13)
(39) eap: Calling submodule eap_tls to process data
(39) eap_tls: Continuing EAP-TLS
(39) eap_tls: Peer ACKed our handshake fragment
(39) eap_tls: [eaptls verify] = request
(39) eap_tls: [eaptls process] = handled
(39) eap: Sending EAP Request (code 1) ID 185 length 1004
(39) eap: EAP session adding &reply:State = 0x1648a20f15f1aff0
(39)     [eap] = handled
(39)   } # authenticate = handled
(39) Using Post-Auth-Type Challenge
(39) # Executing group from file /etc/freeradius/sites-enabled/default
(39)   Challenge { ... } # empty sub-section is ignored
(39) Sent Access-Challenge Id 20 from 10.0.0.149:1812 to
213.86.126.94:34562 length 0
(39)   EAP-Message =
0x01b903ec0dc000000c6b01ff040830060101ff020100300e0603551d0f0101ff040403020186307f06082b0601050507010104733071303206082b060105050730018626687474703a2f2f697372672e747275737469642e6f6373702e6964656e74727573742e636f6d303b06082b06010505073002862f687474703a2f2f617070732e6964656e74727573742e636f6d2f726f6f74732f647374726f6f74636178332e703763301f0603551d23041830168014c4a7b1a47b2c71fadbe14b9075ffc4156085891030540603551d20044d304b3008060667810c010201303f060b2b0601040182df130101013030302e06082b060105050702011622687474703a2f2f6370732e726f6f742d78312e6c657473656e63727970742e6f7267303c0603551d1f043530333031a02fa02d862b687474703a2f2f63726c2e6964656e74727573742e636f6d2f445354524f4f544341583343524c2e63726c301d0603551d0e04160414a84a6a63047dddbae6d139b7a64565ef
(39)   Message-Authenticator = 0x00000000000000000000000000000000
(39)   State = 0x1648a20f15f1aff06276a0f2502d05c3
(39) Finished request
Waking up in 4.6 seconds.
(40) Received Access-Request Id 21 from 213.86.126.94:34562 to
10.0.0.149:1812 length 300
(40)   User-Name = "host/4e806561-02db-4ede-847d-4596d2ec7d20"
(40)   NAS-Identifier = "88866e42-06c5-4f07-90b5-b72e5da2ea53"
(40)   Called-Station-Id = "5C-5B-35-C3-B7-A3:XXXXX"
(40)   NAS-Port-Type = Wireless-802.11
(40)   Service-Type = Framed-User
(40)   Calling-Station-Id = "20-79-18-BC-9E-2C"
(40)   Connect-Info = "CONNECT 0Mbps 802.11b"
(40)   Acct-Session-Id = "418B05EFDADE98C1"
(40)   Acct-Multi-Session-Id = "596BF9F81F35E201"
(40)   Mobility-Domain-Id = 28294
(40)   WLAN-Pairwise-Cipher = 1027076
(40)   WLAN-Group-Cipher = 1027076
(40)   WLAN-AKM-Suite = 1027075
(40)   Framed-MTU = 1200
(40)   EAP-Message = 0x02b900060d00
(40)   State = 0x1648a20f15f1aff06276a0f2502d05c3
(40)   NAS-IP-Address = 192.168.39.11
(40)   Message-Authenticator = 0x0d8187d439f5c856a51abace42ad72b5
(40) session-state: No cached attributes
(40) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(40)   authorize {
(40)     policy filter_username {
(40)       if (&User-Name) {
(40)       if (&User-Name)  -> TRUE
(40)       if (&User-Name)  {
(40)         if (&User-Name =~ / /) {
(40)         if (&User-Name =~ / /)  -> FALSE
(40)         if (&User-Name =~ /@[^@]*@/ ) {
(40)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(40)         if (&User-Name =~ /\.\./ ) {
(40)         if (&User-Name =~ /\.\./ )  -> FALSE
(40)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  
{
(40)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  
  -> FALSE
(40)         if (&User-Name =~ /\.$/)  {
(40)         if (&User-Name =~ /\.$/)   -> FALSE
(40)         if (&User-Name =~ /@\./)  {
(40)         if (&User-Name =~ /@\./)   -> FALSE
(40)       } # if (&User-Name)  = notfound
(40)     } # policy filter_username = notfound
(40)     [preprocess] = ok
(40)     [chap] = noop
(40)     [mschap] = noop
(40)     [digest] = noop
(40) suffix: Checking for suffix after "@"
(40) suffix: No '@' in User-Name =
"host/4e806561-02db-4ede-847d-4596d2ec7d20", looking up realm NULL
(40) suffix: No such realm "NULL"
(40)     [suffix] = noop
(40) eap: Peer sent EAP Response (code 2) ID 185 length 6
(40) eap: No EAP Start, assuming it's an on-going EAP conversation
(40)     [eap] = updated
(40)     [files] = noop
(40)     [expiration] = noop
(40)     [logintime] = noop
(40)     [pap] = noop
(40)   } # authorize = updated
(40) Found Auth-Type = eap
(40) # Executing group from file /etc/freeradius/sites-enabled/default
(40)   authenticate {
(40) eap: Expiring EAP session with state 0x1648a20f15f1aff0
(40) eap: Finished EAP session with state 0x1648a20f15f1aff0
(40) eap: Previous EAP request found for state 0x1648a20f15f1aff0,
released from the list
(40) eap: Peer sent packet with method EAP TLS (13)
(40) eap: Calling submodule eap_tls to process data
(40) eap_tls: Continuing EAP-TLS
(40) eap_tls: Peer ACKed our handshake fragment
(40) eap_tls: [eaptls verify] = request
(40) eap_tls: [eaptls process] = handled
(40) eap: Sending EAP Request (code 1) ID 186 length 207
(40) eap: EAP session adding &reply:State = 0x1648a20f12f2aff0
(40)     [eap] = handled
(40)   } # authenticate = handled
(40) Using Post-Auth-Type Challenge
(40) # Executing group from file /etc/freeradius/sites-enabled/default
(40)   Challenge { ... } # empty sub-section is ignored
(40) Sent Access-Challenge Id 21 from 10.0.0.149:1812 to
213.86.126.94:34562 length 0
(40)   EAP-Message =
0x01ba00cf0d8000000c6baccab7fd8f25557f21770ea0fa13edbb232eb4a89316030300a20d00009e03010240002e040305030603080708080809080a080b080408050806040105010601030302030301020103020202040205020602006800663064310f300d060355040a13064f6e65576562312d302b060355040b132464383164623666662d346337642d346131642d623536322d3831653835343331643562613122302006035504031319534345506d616e2d4465766963652d526f6f742d43412d563116030300040e000000
(40)   Message-Authenticator = 0x00000000000000000000000000000000
(40)   State = 0x1648a20f12f2aff06276a0f2502d05c3
(40) Finished request
Waking up in 4.6 seconds.
(41) Received Access-Request Id 22 from 213.86.126.94:34562 to
10.0.0.149:1812 length 1796
(41)   User-Name = "host/4e806561-02db-4ede-847d-4596d2ec7d20"
(41)   NAS-Identifier = "88866e42-06c5-4f07-90b5-b72e5da2ea53"
(41)   Called-Station-Id = "5C-5B-35-C3-B7-A3:XXXXX"
(41)   NAS-Port-Type = Wireless-802.11
(41)   Service-Type = Framed-User
(41)   Calling-Station-Id = "20-79-18-BC-9E-2C"
(41)   Connect-Info = "CONNECT 0Mbps 802.11b"
(41)   Acct-Session-Id = "418B05EFDADE98C1"
(41)   Acct-Multi-Session-Id = "596BF9F81F35E201"
(41)   Mobility-Domain-Id = 28294
(41)   WLAN-Pairwise-Cipher = 1027076
(41)   WLAN-Group-Cipher = 1027076
(41)   WLAN-AKM-Suite = 1027075
(41)   Framed-MTU = 1200
(41)   EAP-Message =
0x02ba05d40dc00000063e16030306060b00049400049100048e3082048a30820374a0030201020214408581db6165804edb02de4e847d4596d2ec7d20300b06092a864886f70d01010b3064310f300d060355040a13064f6e65576562312d302b060355040b132464383164623666662d346337642d346131642d623536322d3831653835343331643562613122302006035504031319534345506d616e2d4465766963652d526f6f742d43412d5631301e170d3230303531313038353733345a170d3230313131313039303733345a302f312d302b06035504030c2434653830363536312d303264622d346564652d383437642d34353936643265633764323030820122300d06092a864886f70d01010105000382010f003082010a0282010100c5cc3996132faaa13233caa896612c0b320ba49257fe6bc09d5de2c381892182963818ad8d2722761e3427f9d748215acd4bbe0917bdb8332bae1eca9471b23a6b6fd6630842becd62ccabbce4aeb738f2ac598fd18b
(41)   State = 0x1648a20f12f2aff06276a0f2502d05c3
(41)   NAS-IP-Address = 192.168.39.11
(41)   Message-Authenticator = 0x746c68f8e099ebad30060fd2c2887cbe
(41) session-state: No cached attributes
(41) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(41)   authorize {
(41)     policy filter_username {
(41)       if (&User-Name) {
(41)       if (&User-Name)  -> TRUE
(41)       if (&User-Name)  {
(41)         if (&User-Name =~ / /) {
(41)         if (&User-Name =~ / /)  -> FALSE
(41)         if (&User-Name =~ /@[^@]*@/ ) {
(41)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(41)         if (&User-Name =~ /\.\./ ) {
(41)         if (&User-Name =~ /\.\./ )  -> FALSE
(41)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  
{
(41)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  
  -> FALSE
(41)         if (&User-Name =~ /\.$/)  {
(41)         if (&User-Name =~ /\.$/)   -> FALSE
(41)         if (&User-Name =~ /@\./)  {
(41)         if (&User-Name =~ /@\./)   -> FALSE
(41)       } # if (&User-Name)  = notfound
(41)     } # policy filter_username = notfound
(41)     [preprocess] = ok
(41)     [chap] = noop
(41)     [mschap] = noop
(41)     [digest] = noop
(41) suffix: Checking for suffix after "@"
(41) suffix: No '@' in User-Name =
"host/4e806561-02db-4ede-847d-4596d2ec7d20", looking up realm NULL
(41) suffix: No such realm "NULL"
(41)     [suffix] = noop
(41) eap: Peer sent EAP Response (code 2) ID 186 length 1492
(41) eap: No EAP Start, assuming it's an on-going EAP conversation
(41)     [eap] = updated
(41)     [files] = noop
(41)     [expiration] = noop
(41)     [logintime] = noop
(41)     [pap] = noop
(41)   } # authorize = updated
(41) Found Auth-Type = eap
(41) # Executing group from file /etc/freeradius/sites-enabled/default
(41)   authenticate {
(41) eap: Expiring EAP session with state 0x1648a20f12f2aff0
(41) eap: Finished EAP session with state 0x1648a20f12f2aff0
(41) eap: Previous EAP request found for state 0x1648a20f12f2aff0,
released from the list
(41) eap: Peer sent packet with method EAP TLS (13)
(41) eap: Calling submodule eap_tls to process data
(41) eap_tls: Continuing EAP-TLS
(41) eap_tls: Peer indicated complete TLS record size will be 1598 bytes
(41) eap_tls: Expecting 2 TLS record fragments
(41) eap_tls: Got first TLS record fragment (1482 bytes).  Peer
indicated more fragments to follow
(41) eap_tls: [eaptls verify] = first fragment
(41) eap_tls: ACKing Peer's TLS record fragment
(41) eap_tls: [eaptls process] = handled
(41) eap: Sending EAP Request (code 1) ID 187 length 6
(41) eap: EAP session adding &reply:State = 0x1648a20f13f3aff0
(41)     [eap] = handled
(41)   } # authenticate = handled
(41) Using Post-Auth-Type Challenge
(41) # Executing group from file /etc/freeradius/sites-enabled/default
(41)   Challenge { ... } # empty sub-section is ignored
(41) Sent Access-Challenge Id 22 from 10.0.0.149:1812 to
213.86.126.94:34562 length 0
(41)   EAP-Message = 0x01bb00060d00
(41)   Message-Authenticator = 0x00000000000000000000000000000000
(41)   State = 0x1648a20f13f3aff06276a0f2502d05c3
(41) Finished request
Waking up in 4.1 seconds.
(42) Received Access-Request Id 23 from 213.86.126.94:34562 to
10.0.0.149:1812 length 416
(42)   User-Name = "host/4e806561-02db-4ede-847d-4596d2ec7d20"
(42)   NAS-Identifier = "88866e42-06c5-4f07-90b5-b72e5da2ea53"
(42)   Called-Station-Id = "5C-5B-35-C3-B7-A3:XXXXX"
(42)   NAS-Port-Type = Wireless-802.11
(42)   Service-Type = Framed-User
(42)   Calling-Station-Id = "20-79-18-BC-9E-2C"
(42)   Connect-Info = "CONNECT 0Mbps 802.11b"
(42)   Acct-Session-Id = "418B05EFDADE98C1"
(42)   Acct-Multi-Session-Id = "596BF9F81F35E201"
(42)   Mobility-Domain-Id = 28294
(42)   WLAN-Pairwise-Cipher = 1027076
(42)   WLAN-Group-Cipher = 1027076
(42)   WLAN-AKM-Suite = 1027075
(42)   Framed-MTU = 1200
(42)   EAP-Message =
0x02bb007a0d00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000014030300010116030300280000000000000000b96a559b74390d53101a37b9c730e029dfcaecc09616610d63a393614951b571
(42)   State = 0x1648a20f13f3aff06276a0f2502d05c3
(42)   NAS-IP-Address = 192.168.39.11
(42)   Message-Authenticator = 0xa524c52b087a2f48e54d85d74803cd75
(42) session-state: No cached attributes
(42) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(42)   authorize {
(42)     policy filter_username {
(42)       if (&User-Name) {
(42)       if (&User-Name)  -> TRUE
(42)       if (&User-Name)  {
(42)         if (&User-Name =~ / /) {
(42)         if (&User-Name =~ / /)  -> FALSE
(42)         if (&User-Name =~ /@[^@]*@/ ) {
(42)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(42)         if (&User-Name =~ /\.\./ ) {
(42)         if (&User-Name =~ /\.\./ )  -> FALSE
(42)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  
{
(42)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  
  -> FALSE
(42)         if (&User-Name =~ /\.$/)  {
(42)         if (&User-Name =~ /\.$/)   -> FALSE
(42)         if (&User-Name =~ /@\./)  {
(42)         if (&User-Name =~ /@\./)   -> FALSE
(42)       } # if (&User-Name)  = notfound
(42)     } # policy filter_username = notfound
(42)     [preprocess] = ok
(42)     [chap] = noop
(42)     [mschap] = noop
(42)     [digest] = noop
(42) suffix: Checking for suffix after "@"
(42) suffix: No '@' in User-Name =
"host/4e806561-02db-4ede-847d-4596d2ec7d20", looking up realm NULL
(42) suffix: No such realm "NULL"
(42)     [suffix] = noop
(42) eap: Peer sent EAP Response (code 2) ID 187 length 122
(42) eap: No EAP Start, assuming it's an on-going EAP conversation
(42)     [eap] = updated
(42)     [files] = noop
(42)     [expiration] = noop
(42)     [logintime] = noop
(42)     [pap] = noop
(42)   } # authorize = updated
(42) Found Auth-Type = eap
(42) # Executing group from file /etc/freeradius/sites-enabled/default
(42)   authenticate {
(42) eap: Expiring EAP session with state 0x1648a20f13f3aff0
(42) eap: Finished EAP session with state 0x1648a20f13f3aff0
(42) eap: Previous EAP request found for state 0x1648a20f13f3aff0,
released from the list
(42) eap: Peer sent packet with method EAP TLS (13)
(42) eap: Calling submodule eap_tls to process data
(42) eap_tls: Continuing EAP-TLS
(42) eap_tls: Got final TLS record fragment (116 bytes)
(42) eap_tls: [eaptls verify] = ok
(42) eap_tls: Done initial handshake
(42) eap_tls: TLS_accept: SSLv3/TLS write server done
(42) eap_tls: <<< recv TLS 1.2  [length 0498]
(42) eap_tls: TLS - Creating attributes from certificate OIDs
(42) eap_tls:   TLS-Cert-Serial := "69f326fe2bd5423abacfa11e1c1a2802"
(42) eap_tls:   TLS-Cert-Expiration := "300509082659Z"
(42) eap_tls:   TLS-Cert-Valid-Since := "200509081659Z"
(42) eap_tls:   TLS-Cert-Subject :=
"/O=XXXXX/OU=XXXXX/CN=SCEPman-Device-Root-CA-V1"
(42) eap_tls:   TLS-Cert-Issuer :=
"/O=XXXXX/OU=XXXXX/CN=SCEPman-Device-Root-CA-V1"
(42) eap_tls:   TLS-Cert-Common-Name := "SCEPman-Device-Root-CA-V1"
(42) eap_tls: TLS - Creating attributes from certificate OIDs
(42) eap_tls:   TLS-Client-Cert-Serial :=
"408581db6165804edb02de4e847d4596d2ec7d20"
(42) eap_tls:   TLS-Client-Cert-Expiration := "201111090734Z"
(42) eap_tls:   TLS-Client-Cert-Valid-Since := "200511085734Z"
(42) eap_tls:   TLS-Client-Cert-Subject :=
"/CN=4e806561-02db-4ede-847d-4596d2ec7d20"
(42) eap_tls:   TLS-Client-Cert-Issuer :=
"/O=XXXXX/OU=XXXXX/CN=SCEPman-Device-Root-CA-V1"
(42) eap_tls:   TLS-Client-Cert-Common-Name :=
"4e806561-02db-4ede-847d-4596d2ec7d20"
(42) eap_tls:   TLS-Client-Cert-X509v3-Authority-Key-Identifier +=
"keyid:34:AC:84:40:C2:E0:BA:85:A6:37:E2:39:46:52:79:B6:8F:29:9C:EB\n"
(42) eap_tls:   TLS-Client-Cert-X509v3-Subject-Key-Identifier +=
"2E:74:84:73:C2:2A:C6:07:95:3A:2C:76:6E:DD:88:88:07:EC:75:5F"
(42) eap_tls:   TLS-Client-Cert-X509v3-Basic-Constraints += "CA:FALSE"
(42) eap_tls:   TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web
Client Authentication"
(42) eap_tls:   TLS-Client-Cert-X509v3-Extended-Key-Usage-OID +=
"1.3.6.1.5.5.7.3.2"
(42) eap_tls: Starting OCSP Request
(42) eap_tls: ocsp: Using responder URL
"http://scepman-xxxxx.azurewebsites.net:80/ocsp"
         This Update: Jun 10 13:09:25 2020 GMT
         Next Update: Jun 10 13:14:25 2020 GMT
(42) eap_tls: ocsp: Cert status: good
(42) eap_tls: ocsp: Certificate is valid
(42) eap_tls: TLS_accept: SSLv3/TLS read client certificate
(42) eap_tls: <<< recv TLS 1.2  [length 0066]
(42) eap_tls: TLS_accept: SSLv3/TLS read client key exchange
(42) eap_tls: <<< recv TLS 1.2  [length 0108]
(42) eap_tls: >>> send TLS 1.2  [length 0002]
(42) eap_tls: ERROR: TLS Alert write:fatal:decrypt error

(42) eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read)
(42) eap_tls: ERROR: error:0407E086:rsa
routines:RSA_verify_PKCS1_PSS_mgf1:last octet invalid
(42) eap_tls: ERROR: error:1417B07B:SSL
routines:tls_process_cert_verify:bad signature
(42) eap_tls: ERROR: System call (I/O) error (-1)
(42) eap_tls: ERROR: TLS receive handshake failed during operation
(42) eap_tls: ERROR: [eaptls process] = fail
(42) eap: ERROR: Failed continuing EAP TLS (13) session.  EAP sub-module
failed
(42) eap: Sending EAP Failure (code 4) ID 187 length 4
(42) eap: Failed in EAP select
(42)     [eap] = invalid
(42)   } # authenticate = invalid
(42) Failed to authenticate the user
(42) Using Post-Auth-Type Reject
(42) # Executing group from file /etc/freeradius/sites-enabled/default
(42)   Post-Auth-Type REJECT {
(42) attr_filter.access_reject: EXPAND %{User-Name}
(42) attr_filter.access_reject:    -->
host/4e806561-02db-4ede-847d-4596d2ec7d20
(42) attr_filter.access_reject: Matched entry DEFAULT at line 11
(42)     [attr_filter.access_reject] = updated
(42)     [eap] = noop
(42)     policy remove_reply_message_if_eap {
(42)       if (&reply:EAP-Message && &reply:Reply-Message) {
(42)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(42)       else {
(42)         [noop] = noop
(42)       } # else = noop
(42)     } # policy remove_reply_message_if_eap = noop
(42)   } # Post-Auth-Type REJECT = updated
(42) Login incorrect (eap_tls: TLS Alert write:fatal:decrypt error):
[host/4e806561-02db-4ede-847d-4596d2ec7d20] (from client XXXXX-UK port 0
cli 20-79-18-BC-9E-2C)
(42) Delaying response for 1.000000 seconds
Waking up in 0.9 seconds.
(42) Sending delayed response
(42) Sent Access-Reject Id 23 from 10.0.0.149:1812 to
213.86.126.94:34562 length 44
(42)   EAP-Message = 0x04bb0004
(42)   Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 2.2 seconds.
(36) Cleaning up request packet ID 17 with timestamp +932
Waking up in 0.1 seconds.
(37) Cleaning up request packet ID 18 with timestamp +933
(38) Cleaning up request packet ID 19 with timestamp +933
(39) Cleaning up request packet ID 20 with timestamp +933
(40) Cleaning up request packet ID 21 with timestamp +933
Waking up in 0.4 seconds.

---
Peter Bance
Information Security Adviser
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: EAP-TLS Signature Check Failure

Alan DeKok-2

On Jun 11, 2020, at 4:31 AM, Peter Bance via Freeradius-Users <[hidden email]> wrote:
> I'm afraid I've been all around the Windows and certificate side, and I've circled back to FreeRADIUS :( I probably should have included the full session log before (sadly I didn't think to save a successful entry from iOS to compare it to, I'll try and get one when I next can). I've pasted below (I don't think I need to "redact" anything here other than the SSID and OUs, which identified the client).
>
> One thing strikes me, and the reason I'm being a nuisance here again (!) - the signature validation is failing "RSA_verify_PKCS1_PSS_mgf1", but both the client and CA certificates are signed with "sha256WithRSAEncryption", and the session is TLS 1.2. However, the very first client request asks for TLS 1.3 (subsequently downgraded to 1.2).

  Well, if the TLS stuff is wrong, blame OpenSSL.  We rely on OpenSSL for that.

> Could FreeRADIUS be "remembering" the initial 1.3, and thus trying an invalid signature validation on the certificate(s)?

  No.  The TLS negotiation is handled by OpenSSL, and FreeRADIUS knows very little about it.

  Further, EAP-TLS for TLS 1.3 isn't even standardized yet.  I've been in touch with the Microsoft engineer who's implementing it.  We should be doing Windows / FreeRADIUS interoperation in the next month or so.  So when it is released, Windows will work.

> I've tried going through the source code, but I confess my C and TLS skills aren't up to it :-(

  I don't touch OpenSSL.  That code is a nightmare.

  Maybe it's an issue with OpenSSL?

https://github.com/openssl/openssl/issues/8443

https://bbs.archlinux.org/viewtopic.php?id=253846

  Are you using RedHat?  Maybe you're running into the issue of RedHat replacing OpenSSL with NSS.  It's not the same, and it doesn't work.  You might have to drop the RH packages, and move to ours at http://packages.networkradius.com

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: EAP-TLS Signature Check Failure

Users mailing list
On 2020-06-11 12:48, Alan DeKok wrote:

> On Jun 11, 2020, at 4:31 AM, Peter Bance via Freeradius-Users
> <[hidden email]> wrote:
>> I'm afraid I've been all around the Windows and certificate side, and
>> I've circled back to FreeRADIUS :( I probably should have included the
>> full session log before (sadly I didn't think to save a successful
>> entry from iOS to compare it to, I'll try and get one when I next
>> can). I've pasted below (I don't think I need to "redact" anything
>> here other than the SSID and OUs, which identified the client).
>>
>> One thing strikes me, and the reason I'm being a nuisance here again
>> (!) - the signature validation is failing "RSA_verify_PKCS1_PSS_mgf1",
>> but both the client and CA certificates are signed with
>> "sha256WithRSAEncryption", and the session is TLS 1.2. However, the
>> very first client request asks for TLS 1.3 (subsequently downgraded to
>> 1.2).
>
>   Well, if the TLS stuff is wrong, blame OpenSSL.  We rely on OpenSSL
> for that.

No problem, I blame OpenSSL for a lot of things :-)

>> Could FreeRADIUS be "remembering" the initial 1.3, and thus trying an
>> invalid signature validation on the certificate(s)?
>
>   No.  The TLS negotiation is handled by OpenSSL, and FreeRADIUS knows
> very little about it.

OK - understood.

>   Further, EAP-TLS for TLS 1.3 isn't even standardized yet.  I've been
> in touch with the Microsoft engineer who's implementing it.  We should
> be doing Windows / FreeRADIUS interoperation in the next month or so.
> So when it is released, Windows will work.

Ah, excellent! I look forward to that, I'll see if I can find a way to
force Windows clients to curb their enthusiasm and use 1.2 for now.

>> I've tried going through the source code, but I confess my C and TLS
>> skills aren't up to it :-(
>
>   I don't touch OpenSSL.  That code is a nightmare.
>
>   Maybe it's an issue with OpenSSL?
>
> https://github.com/openssl/openssl/issues/8443
>
> https://bbs.archlinux.org/viewtopic.php?id=253846

Thanks - I did see those issues, and checked the root causes definitely
not the same.

>   Are you using RedHat?

No way! :-)

Ubuntu.

> Maybe you're running into the issue of RedHat
> replacing OpenSSL with NSS.  It's not the same, and it doesn't work.
> You might have to drop the RH packages, and move to ours at
> http://packages.networkradius.com

Already using the networkradius.com repo.

Thanks again for your time looking at this. I'll head back to digging
into Windows and see why it's misbehaving.

---
Peter Bance
Information Security Adviser
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: EAP-TLS Signature Check Failure

Users mailing list
On 2020-06-11 13:51, Peter Bance via Freeradius-Users wrote:

> On 2020-06-11 12:48, Alan DeKok wrote:
>> On Jun 11, 2020, at 4:31 AM, Peter Bance via Freeradius-Users
>> <[hidden email]> wrote:
>>> I'm afraid I've been all around the Windows and certificate side, and
>>> I've circled back to FreeRADIUS :( I probably should have included
>>> the full session log before (sadly I didn't think to save a
>>> successful entry from iOS to compare it to, I'll try and get one when
>>> I next can). I've pasted below (I don't think I need to "redact"
>>> anything here other than the SSID and OUs, which identified the
>>> client).
>>>
>>> One thing strikes me, and the reason I'm being a nuisance here again
>>> (!) - the signature validation is failing
>>> "RSA_verify_PKCS1_PSS_mgf1", but both the client and CA certificates
>>> are signed with "sha256WithRSAEncryption", and the session is TLS
>>> 1.2. However, the very first client request asks for TLS 1.3
>>> (subsequently downgraded to 1.2).
>>
>>   Well, if the TLS stuff is wrong, blame OpenSSL.  We rely on OpenSSL
>> for that.

A final update on this, in case anyone here's interested (or to "wrap
up" for anyone stumbling across this thread online) - I fixed it, and
Windows clients are now happily joining WiFi. It's a beautiful thing to
behold :-)

In the end, I had to force OpenSSL on FreeRADIUS to stop offering TLS1.3
ciphers using the mods/eap config:

tls_max_version = "1.2"

It seems there may be a bug in OpenSSL 1.1.1 such that even though the
negotiation resulted in a TLS 1.2 session, the weird back-port of TLS
1.3 ciphers into TLS 1.2 confused things (a lot), and it tried checking
for TLS 1.3 style signatures inappropriately.

---
Peter Bance
Information Security Adviser
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: EAP-TLS Signature Check Failure

Alan DeKok-2
On Jun 12, 2020, at 3:34 PM, Peter Bance <[hidden email]> wrote:
> A final update on this, in case anyone here's interested (or to "wrap up" for anyone stumbling across this thread online) - I fixed it, and Windows clients are now happily joining WiFi. It's a beautiful thing to behold :-)
>
> In the end, I had to force OpenSSL on FreeRADIUS to stop offering TLS1.3 ciphers using the mods/eap config:
>
> tls_max_version = "1.2"

  Good to hear.

> It seems there may be a bug in OpenSSL 1.1.1 such that even though the negotiation resulted in a TLS 1.2 session, the weird back-port of TLS 1.3 ciphers into TLS 1.2 confused things (a lot), and it tried checking for TLS 1.3 style signatures inappropriately.

  Weird, but OK.  It's OpenSSL :(

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html