Quantcast

TLS Variables not set

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

TLS Variables not set

Luke Pascoe
Hi,

I'm having trouble getting some basic TLS checks working for a Wifi EAP-TLS
connection.

Centos7, freeradius 3.0.4

Basically I'm messing around with the built-in check-eap-tls virtual
server, as a pre-requisite to some more complex matching I want to do, but
it's not working as it would seem it should.

My client connects using a valid cert, I see TLS "stuff" in the logs like
this:

(5)  Auth-Type eap {
(5)  eap : Expiring EAP session with state 0x9e6f4ada9ae847d4
(5)  eap : Finished EAP session with state 0x9e6f4ada9ae847d4
(5)  eap : Previous EAP request found for state 0x9e6f4ada9ae847d4,
released from the list
(5)  eap : Peer sent method TLS (13)
(5)  eap : EAP TLS (13)
(5)  eap : Calling eap_tls to process EAP data
(5)  eap_tls : Authenticate
(5)  eap_tls : processing EAP-TLS
(5)  eap_tls : eaptls_verify returned 7
(5)  eap_tls : Done initial handshake
(5)  eap_tls : <<< TLS 1.0 Handshake [length 04c4], Certificate
(5)  eap_tls : chain-depth=1,
(5)  eap_tls : error=0
(5)  eap_tls : --> User-Name = lpascoe
(5)  eap_tls : --> BUF-Name = NZHothouse CA
(5)  eap_tls : --> subject =
/C=NZ/ST=AKL/L=Auckland/O=NZHothouse/CN=NZHothouse CA/emailAddress=
[hidden email]
(5)  eap_tls : --> issuer  =
/C=NZ/ST=AKL/L=Auckland/O=NZHothouse/CN=NZHothouse CA/emailAddress=
[hidden email]
(5)  eap_tls : --> verify return:1
(5)  eap_tls : chain-depth=0,
(5)  eap_tls : error=0
(5)  eap_tls : --> User-Name = lpascoe
(5)  eap_tls : --> BUF-Name = lpascoe
(5)  eap_tls : --> subject =
/C=NZ/ST=AKL/L=Auckland/O=NZHothouse/CN=lpascoe/emailAddress=
[hidden email]
(5)  eap_tls : --> issuer  =
/C=NZ/ST=AKL/L=Auckland/O=NZHothouse/CN=NZHothouse CA/emailAddress=
[hidden email]
(5)  eap_tls : --> verify return:1
(5)  eap_tls : TLS_accept: SSLv3 read client certificate A
(5)  eap_tls : <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange
(5)  eap_tls : TLS_accept: SSLv3 read client key exchange A
(5)  eap_tls : <<< TLS 1.0 Handshake [length 0106], CertificateVerify
(5)  eap_tls : TLS_accept: SSLv3 read certificate verify A
(5)  eap_tls : <<< TLS 1.0 ChangeCipherSpec [length 0001]
(5)  eap_tls : <<< TLS 1.0 Handshake [length 0010], Finished
(5)  eap_tls : TLS_accept: SSLv3 read finished A
(5)  eap_tls : >>> TLS 1.0 ChangeCipherSpec [length 0001]
(5)  eap_tls : TLS_accept: SSLv3 write change cipher spec A
(5)  eap_tls : >>> TLS 1.0 Handshake [length 0010], Finished
(5)  eap_tls : TLS_accept: SSLv3 write finished A
(5)  eap_tls : TLS_accept: SSLv3 flush data
(5)  eap_tls : (other): SSL negotiation finished successfully
SSL Connection Established
(5)  eap_tls : eaptls_process returned 13

So I'm pretty certail that part is working correctly.

However when we get to the check-eap-tls part, the variables it expects to
match against aren't populated:

(6)  # Executing section authorize from file
/etc/raddb/sites-enabled/check-eap-tls
(6)    authorize {
(6)    update config {
(6)   Auth-Type := Accept
(6)    } # update config = noop
(6)     if ("%{TLS-Client-Cert-Common-Name}" == "client.example.com")
(6)  EXPAND %{TLS-Client-Cert-Common-Name}
(6)     -->
(6)     if ("%{TLS-Client-Cert-Common-Name}" == "client.example.com")  ->
FALSE
(6)    else else {
(6)     update config {
(6)   Auth-Type := Reject
(6)     } # update config = noop
(6)     update reply {
(6)   Reply-Message := 'Your certificate is not valid.'
(6)     } # update reply = noop
(6)    } # else else = noop

As you can see the expansion for %{TLS-Client-Cert-Common-Name} is an empty
string.

This is the variable I want to match against in future.

Any suggestions around what I need to enable to get these TLS variables
populated would be greatly appreciated.

Thanks.

Luke Pascoe



*E* [hidden email]
* P* +64 (9) 296 2961
* M* +64 (27) 426 6649
* W* www.osnz.co.nz

24 Wellington St
Papakura
Auckland, 2110
New Zealand
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: TLS Variables not set

Alan DeKok-2
On Apr 20, 2017, at 11:28 PM, Luke Pascoe <[hidden email]> wrote:
>
> Hi,
>
> I'm having trouble getting some basic TLS checks working for a Wifi EAP-TLS
> connection.
>
> Centos7, freeradius 3.0.4

  Use 3.0.13.

  Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: TLS Variables not set

Luke Pascoe
Finally got around to building 3.0.13 for CentOS 7, and yes, the problem is
now fixed.

Thanks.

Luke Pascoe



*E* [hidden email]
* P* +64 (9) 296 2961
* M* +64 (27) 426 6649
* W* www.osnz.co.nz

24 Wellington St
Papakura
Auckland, 2110
New Zealand

On 22 April 2017 at 00:56, Alan DeKok <[hidden email]> wrote:

> On Apr 20, 2017, at 11:28 PM, Luke Pascoe <[hidden email]> wrote:
> >
> > Hi,
> >
> > I'm having trouble getting some basic TLS checks working for a Wifi
> EAP-TLS
> > connection.
> >
> > Centos7, freeradius 3.0.4
>
>   Use 3.0.13.
>
>   Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: TLS Variables not set

Yusuf Siddiqui
Congrats! :-)



Regards
Mohd Yusuf Siddiqui
email: [hidden email]
www. <http://www.ibots.org/>fiyutech.com
Mob. +91.991.033.914.3,+91.989.102.455.4
Off:+91.120.

​49.89.65.4
U.S. +120.975.347.57

*__________________________________________________________________________________________________________________________________________________________________*

This communication & accompanying documents ("this e-mail") contains
confidential and/or privileged information for exclusive    use of the
individual
to whom it is addressed. If you are not the intended recipient, please
immediately notify the company & delete this e-mail. Any unauthorized use
or disclosure of this e-mail is strictly prohibited. Representations in this
e-mail are subject to contract. As an e-mail user please be cautious of the
technical & other vulnerabilities of the internet which may result in malicious
and/or unauthorized access to / use / alteration of e-mails/e-mail IDs.
Thank you.

*_______________________________________________________________________________________________________________________________________________________________*

On Tue, May 9, 2017 at 10:14 AM, Luke Pascoe <[hidden email]> wrote:

> Finally got around to building 3.0.13 for CentOS 7, and yes, the problem is
> now fixed.
>
> Thanks.
>
> Luke Pascoe
>
>
>
> *E* [hidden email]
> * P* +64 (9) 296 2961
> * M* +64 (27) 426 6649
> * W* www.osnz.co.nz
>
> 24 Wellington St
> Papakura
> Auckland, 2110
> New Zealand
>
> On 22 April 2017 at 00:56, Alan DeKok <[hidden email]> wrote:
>
> > On Apr 20, 2017, at 11:28 PM, Luke Pascoe <[hidden email]> wrote:
> > >
> > > Hi,
> > >
> > > I'm having trouble getting some basic TLS checks working for a Wifi
> > EAP-TLS
> > > connection.
> > >
> > > Centos7, freeradius 3.0.4
> >
> >   Use 3.0.13.
> >
> >   Alan DeKok.
> >
> > -
> > List info/subscribe/unsubscribe? See http://www.freeradius.org/
> > list/users.html
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Loading...