Due to acquisition of companies, we now need to support multiple Certificate Authorities.
Wireless is successful in v2.0.5 using EAP-TLS with one eap instance for Company1, but when I add a second eap instance for Company2, eap fails for Company1. Is there a means to evaluate the certificate Issuer in the early part of the communication using a unlang statement? Is there a specific key word to use for the certificate issuer? It seems like the configuration needs just a few changes to be successful. rad_recv: Access-Request packet from host 10.252.255.18 port 32770, id=37, length=1507 User-Name = "Test User (Company 1)" Calling-Station-Id = "00-13-CE-DD-D4-85" Called-Station-Id = "00-0A-85-65-3E-80:WIFI3D" NAS-Port = 29 NAS-IP-Address = 10.252.255.18 NAS-Identifier = "wc-05" Airespace-Wlan-Id = 1 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "798" EAP-Message = 0x021f05110d800000050716030104d70b0003c70003c40003c1308203bd308202a5a00302010202030124b5300d06092a864886f70d0101050500306f310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a4275726c696e67616d65310c300a060355040a130344484c3110300e060355040b130753797374656d73311630140603550403130d44484c20476c6f62616c204341301e170d3036313231353232353933345a170d3038313231343232353933345a30818a3110300e060355040a130764686c2e636f6d310b3009060355040b13027573310b300906035504071302616d311f30 EAP-Message = 0x1d060355040313164a756479204d2046656c646572202844484c205553293122302006092a864886f70d01090116134a7564792e46656c6465724064686c2e636f6d31173015060a0992268993f22c64010113076a66656c64657230819f300d06092a864886f70d010101050003818d0030818902818100a90faf75166496dd2657307e9bc3164667ef4af9a0ce20e74a8f644f1d6b6afb240524313173ab41aca3f8d7fc4ff39f592225e8f93f70e9cbe17e2adde9e2968cc7bca1284feb0b81edf6acdf0fc5f110b781ac305c7dd08e0e524582a8e6830640f88ad3a60f664ec40d7133c055a9802d4e51c65738bfbeec981b914c3f310203010001 EAP-Message = 0xa381c93081c6301106096086480186f84201010404030205a0300e0603551d0f0101ff0404030205e0301e0603551d110417301581134a7564792e46656c6465724064686c2e636f6d301f0603551d230418301680143d81b8eebd05dc3676e024514dcb1965bb18d470303506082b0601050507010104293027302506082b060105050730018619687474703a2f2f616d636d732e64686c2e636f6d2f6f63737030290603551d250422302006082b0601050507030206082b06010505070304060a2b0601040182370a0304300d06092a864886f70d010105050003820101001e6887c1a6f58d4289d05e778a93b755135e81a0c2ac624818c4afb186 EAP-Message = 0x258b022f175db3da3f7d990fa4d1044b38c08ebfbcea646257025443ad25daefb981ed60ffcfbc568586fb8c2ae402185463afe81169e043abf9b5782f67a8319b713157330e9438e5e4741d876669b856e44139eb1c67279cb2ee16ee39d9b7fc12c0f8564c55108ba0cca991120818dcbce5304121ea67db9e33ac77cdd52aa17daaac07cee4465c70b236271d4ad59a5d9d6183c049c8941b45366952a50446b36f0101baef2f3928aaa5eaade4fc5fb571a0535f20e36738b1b5a417e29fdf4031904d48430a4bc63e26c80c7f88637247469fdcd89f5ff30811e93a472f174bd41000008200803467644319b1f3681185cf76bae98b20bf5a529d EAP-Message = 0xe395dd3d0f7f1d3e6c91c6cdaca8855c52c6f9bd84893ea1a2ae848e75070f9b1fb8ead9d2470b536737f5f6ccac4acbf6d4aec4703dfee89910c3046ec9fd06ce57c0498eb126328108c9e578d21dcd374012d34210adee04397867d450bcb787bd298ad08321a5ebcde3c70f0000820080150c570d4ee2d59103b622f1c7716f94e2313c0b4c731a9799c430963864866adce8964454c8e2c5d6ab9520262e962cf9b99ce14445c5b39100449055a505eba616a0f754290af94a70ad426edaa42fc8f91fddcf776974f6ac533efbb5372c2e244cd53ea61ac66f7cf8a5d775970cbfd3e17e971822426538143efacca6681403010001011603010020 EAP-Message = 0xfaa0905d8a278e3e6cbf563aa4ff516825708a612fd32bbd672373f61ac45934 State = 0x4edb29434bc424a7b8988b8f343c1e87 Message-Authenticator = 0x0a71963cc3baec5c6ac16ecbaaea6bb0 +- entering group authorize ++[preprocess] returns ok rlm_realm: No '@' in User-Name = "Test User (Company 1)", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_ldap: Entering ldap_groupcmp() expand: dc=external -> dc=external expand: (uid=%u) -> (uid=Test User \28Company 1\29) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=external, with filter (uid=Test User \28Company 1\29) rlm_ldap: object not found or got ambiguous search result rlm_ldap::ldap_groupcmp: search failed rlm_ldap: ldap_release_conn: Release Id: 0 ++[files] returns noop expand: %{Huntgroup-Name} -> WIRELESS ++- entering switch %{Huntgroup-Name} +++- entering case WIRELESS rlm_eap: EAP packet type response id 31 length 253 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++++[eap_company1] returns updated rlm_eap: EAP packet type response id 31 length 253 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++++[eap_useram] returns updated rlm_eap: EAP packet type response id 31 length 253 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation +++- case WIRELESS returns updated ++- switch %{Huntgroup-Name} returns updated rlm_checkval: Item Name: Calling-Station-Id, Value: 00-13-CE-DD-D4-85 rlm_checkval: Could not find attribute named Calling-Station-Id in check pairs ++[checkval] returns notfound ++[expiration] returns noop rad_check_password: Found Auth-Type eap_company1 rad_check_password: Found Auth-Type eap_company2 Warning: Found 2 auth-types on request for user 'Test User (Company 1)' auth: type "eap_company2" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS TLS Length 1287 rlm_eap_tls: Length Included eaptls_verify returned 11 rlm_eap_tls: <<< TLS 1.0 Handshake [length 03cb], Certificate chain-depth=1, error=0 --> User-Name = Test User (Company 1) --> BUF-Name = Company1 Global CA --> subject = /C=US/ST=State/L=City/O=Company1/OU=Unit/CN=Company1 Global CA --> issuer = /C=US/ST=State/L=City/O=Company1/OU=Unit/CN=Company1 Global CA --> verify return:1 rlm_eap_tls: Certificate issuer (/C=US/ST=State/L=City/O=Company1/OU=Unit/CN=Company1 Global CA) does not match specified value (/O=Parent-company/O=Child-company/OU=Division/CN=Company2 User CA PS)! chain-depth=0, error=0 --> User-Name = Test User (Company 1) --> BUF-Name = Test User (Company 1) --> subject = /O=company1.com/OU=us/L=am/CN=Test User (Company 1)/[EMAIL PROTECTED]/UID=tuser --> issuer = /C=US/ST=State/L=City/O=Company1/OU=Unit/CN=Company1 Global CA --> verify return:0 rlm_eap_tls:>>> TLS 1.0 Alert [length 0002], fatal certificate_unknown TLS Alert write:fatal:certificate unknown TLS_accept:error in SSLv3 read client certificate B rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails. eaptls_process returned 13 rlm_eap: Freeing handler ++[eap_company2] returns reject auth: Failed to validate the user. Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> Test User (Company 1) attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Sending Access-Reject of id 37 to 10.252.255.18 port 32770 EAP-Message = 0x041f0004 Message-Authenticator = 0x00000000000000000000000000000000 Finished request 1647. Going to the next request ../etc/raddb/sites-available/default authorize { preprocess suffix files switch "%{Huntgroup-Name}" { case HARDWARE1 { internal-uid } case HARDWARE2 { internal-mail } case HARDWARE3 { external-uid } case WIRELESS { eap_company1 eap_company2 } } checkval expiration } authenticate { internal-uid internal-mail external-uid eap_company1 eap_company2 } preacct { preprocess acct_unique suffix } accounting { detail radutmp attr_filter.accounting_response } session { radutmp } post-auth { exec Post-Auth-Type REJECT { attr_filter.access_reject } } pre-proxy { } post-proxy { } ../modules/eap_company1 eap eap_company1 { default_eap_type = tls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no tls { certdir = ${confdir}/certs cadir = ${confdir}/certs private_key_password = private_key_file = ${certdir}/radius-co1.server.com.key certificate_file = ${certdir}/radius-co1.server.com.pem CA_file = ${cadir}/company1.pem dh_file = ${certdir}/dh random_file = ${certdir}/random fragment_size = 1024 check_crl = yes CA_path = /opt/freeradius/etc/raddb/certs check_cert_issuer = "/C=US/ST=State/L=City/O=Company1/OU=Unit/CN=Company1 Global CA" check_cert_cn = %{User-Name} cipher_list = "DEFAULT" } copy_request_to_tunnel = no } ../modules/eap_company2 eap eap_company2 { default_eap_type = tls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no tls { certdir = ${confdir}/certs cadir = ${confdir}/certs private_key_password = private_key_file = ${certdir}/radius-co2.server.key certificate_file = ${certdir}/radius-co2.server.pem CA_file = ${cadir}/chain-company2.pem dh_file = ${certdir}/dh random_file = ${certdir}/random fragment_size = 1024 check_crl = yes CA_path = /opt/freeradius/etc/raddb/certs check_cert_issuer = "/O=Parent-company/O=Child-company/OU=Division/CN=Company2 User CA PS" check_cert_cn = %{User-Name} cipher_list = "DEFAULT" } copy_request_to_tunnel = no } Regards, Kas _________________________________________________________________ Be the filmmaker you always wanted to be—learn how to burn a DVD with Windows®. http://clk.atdmt.com/MRT/go/108588797/direct/01/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html