OCSP
Hi,
I'm getting a segmentation fault when a user certificate is verified, OCSP is
switched on and OCSP responder does not set the next update.
Then in src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c
the OCSP_resp_find_status returns null for nextupd and
ASN1_GENERALIZEDTIME_print(bio_out, nextupd) call fails causing this
segmentation fault.
Embedding this call with if (nextupd) {} helps.
I checked that the same issue occurs with the git version.
Maja
--
Maja Gorecka-Wolniewiczm...@umk.pl
Uczelniane Centrum Information & Communication
Informatyczne Technology Centre
Uniwersytet Mikolaja KopernikaNicolaus Copernicus University
Coll. Maximum, pl. Rapackiego 1, 87-100 Torun, Poland
tel.: +48 56-611-27-40 fax: +48 56-622-18-50 tel. kom.: +48-693032574
smime.p7s
Description: S/MIME cryptographic signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-FAST
W dniu 10-01-20 08:52, Alan DeKok pisze: Maja Wolniewicz wrote: A few changes in FreeRADIUS are needed to provide some configuration variables to the hostap EAP library. Could you send the changes as a patch? That way we can apply them to the server, and make it easier for everyone else. I attach the patch. Maja The biggest problem is that this solution works only with eapol_test client. In real world, on the wireless network we managed to authenticate using EAP-FAST on FreeRADIUS only with anonymous PAC provisioning, because EAP fragmentation seems to be not handled. I think that's an issue with the hostap library. Maybe there's an API for FreeRADIUS to set MTU for the library. (I haven't looked recently) Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Maja Gorecka-Wolniewicz m...@umk.pl PGP key: http://www.home.umk.pl/~mgw/pgp_pub_key.asc Uczelniane Centrum Information& Communication Informatyczne Technology Centre Uniwersytet Mikolaja Kopernika Nicolaus Copernicus University Coll. Maximum, pl. Rapackiego 1, 87-100 Torun, Poland tel.: +48 56-611-27-40 fax: +48 56-622-18-50 tel. kom.: +48-693032574 freeradius-fast.patch.gz Description: GNU Zip compressed data smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-FAST
W dniu 19.01.2010 15:06, Alan DeKok pisze:
> Stefan Winter wrote:
>> every now and then there's a mild interest on this list about enabling
>> EAP-FAST. In our eduroam R&D group, we are currently looking into
>> EAP-FAST, which naturally includes FreeRADIUS support. Is it worthwhile
>> posting our results here, for others "play with it" as well? Or has
>> everybody already run away from the somwhat complicated installation of
>> EAP-FAST support in FreeRADIUS [we certainly had our difficulties...]
>
> Currently FreeRADIUS supports EAP-FAST only by using the hostap EAP
> library. It's a bit of a hack to implement...
>
> I have some possible EAP-FAST code for a very old version of
> FreeRADIUS (1.1.4). If someone is willing to play with it, it could be
> made to work with the latest version.
>
> My main concerns with the code is that it's pretty bad...
Following Stefan's Winter message, I attach my How-To deploy EAP-FAST on
FreeRADIUS which summarizes what I've done to get it to work with
version 2.1.8.
A few changes in FreeRADIUS are needed to provide some configuration
variables to the hostap EAP library.
The biggest problem is that this solution works only with eapol_test
client. In real world, on the wireless network we managed to
authenticate using EAP-FAST on FreeRADIUS only with anonymous PAC
provisioning, because EAP fragmentation seems to be not handled.
Greetings
Maja
--
Maja Gorecka-Wolniewicz m...@umk.pl
http://www.umk.pl/~mgw
PGP key: http://www.umk.pl/~mgw/pgp_pub_key.asc
Uczelniane Centrum Information & Communication
InformatyczneTechnology Centre
Uniwersytet Mikolaja Kopernika Nicolaus Copernicus University
Coll. Maximum, pl. Rapackiego 1, 87-100 Torun, Poland
tel.: +48 56-611-27-40 fax: +48 56-622-18-50 tel. kom.: +48-693032574
EAP-FAST support in FreeRADIUS is handled by the eap2 module. The only
documentation is what is contained in raddb/experimental.conf.
Below, I describe how I managed to get EAP-FAST running. There is a bit
of hacking involved.
According to raddb/experimental.conf, you need the "libeap.so" from hostapd.
Unfortunalely this library is built inside the eap-example directory of
hostapd, which is not a part of standard hostap distribution.
I have found only one version of hostap, which has eap-example directory,
it is the git version. To get it, go to
http://hostap.epitest.fi/gitweb/gitweb.cgi
and get the snapshot of hostap-06.git project
or do:
git clone git://w1.fi/srv/git/hostap-06.git
The current development version hostap.git has been changed and is now
incompatible with FreeRADIUS. The incompatibility is not very serious,
but for testing purposes the 06 version is quite sufficient.
To build libeap.so, a patched version of openssl is required. The patches for
different versions are available in the "patches" subdirectory of hostap
distribution.
To configure openssl with tlsext enabled, you need to specify the
enable-tlsext option in the config command.
It turns out that the source of hostapd has changed since EAP-FAST was tested
by the author of FreeRADIUS. There are some fixes required.
cd hostap-06/eap-example
vi Makefile
add:
OBJS_peer += ../src/eap_common/eap_fast_common.o
OBJS_server += ../src/eap_server/eap_fast.o
CFLAGS += -DEAP_FAST
also add
CFLAGS += -I/opt/SSL/include
LDFLAGS += -L/opt/lib/SSL -Xlinker -R/opt/lib/SSL
in appropratie places (assuming that /opt/lib/SSL is the location of your
customised SSL installation)
vi ../src/eap_server/eap_fast.c
In the eap_fast_init function you have to comment six lines below
data->force_version = -1;
to skip changing EAP-FAST version.
Then:
make CONFIG_SOLIB=yes
This creates libeap.so, which is used by rlm_eap2 in FreeRADIUS.
Following the comment in raddb/experimental.conf,
you need to edit src/modules/rlm_eap2/Makefile and point it to the the
location of hostap directory. You also need to fix the TARGET variable,
the corresponding line should be:
TARGET = rlm_eap2
Then I've configured FreeRADIUS with these options:
--with-experimental-modules --with-rlm_eap2
libeap.so expects to get some configurations variables from rlm_eap2 module,
like: eap_fast_a_id, eap_fast_a_id_info, pac_opaque_encr_key, pac_key_lifetime,
pac_key_refresh_time, backend_auth.
I've added:
1. in the rlm_eap_t stucture, in the "Configuration items" section
char*pac_opaque_encr_key;
char*eap_fast_a_id;
char*eap_fast_a_id_info;
int eap_fast_prov;
int pac_key_lifetime;
int pac_key_refresh_time;
int backend_auth;
2. in module_config table (above the end of list):
{ "backend_auth", PW_TYPE_BOOLEAN,
offsetof(rlm_eap_t, backend_auth), NULL, "yes" },
{ "fast", PW_TYPE_SUBSECTION, 0, NULL, (const void *) fast_config },
3. in tls_config table the entry
{ "dh_file",
ASSERT FAILED event.c in 2.1.7
After the upgrade from 2.1.6 to 2.1.7 my two servers died 3-4 times daily with the following error: Thu Sep 24 19:07:13 2009 : Error: Received conflicting packet from client AP-8 port 32777 - ID: 240 due to unfinished request 2396. Giving up on old request. Thu Sep 24 19:07:13 2009 : Error: ASSERT FAILED event.c[2682]: request->ev != NULL I have to return to 2.1.6, which works smoothly. Greetings, Maja -- Maja Gorecka-Wolniewicz m...@umk.pl PGP key: http://www.home.umk.pl/~mgw/pgp_pub_key.asc Uczelniane Centrum Information & Communication InformatyczneTechnology Centre Uniwersytet Mikolaja Kopernika Nicolaus Copernicus University Coll. Maximum, pl. Rapackiego 1, 87-100 Torun, Poland tel.: +48 56-611-27-40 fax: +48 56-622-18-50 tel. kom.: +48-693032574 smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Support for RFC4372 (Chargeable User Identity)
Alan DeKok pisze: Maja Wolniewicz wrote: Thanks. Now it works. That's good to hear. Yes, I want to add current realm to reply attribute Chargeable-User-Identity which comes form LDAP. When Chargeable-User-Identity attribute isn't present in request I want to remove Chargeable-User-Identity from reply. There's a simple answer: don't add something if it's not needed. Adding it and then deleted it is complicated, and prone to errors. Instead, add it *only* if it's necessary. This may involve update the LDAP maps to use a temporary attribute. e.g. map the LDAP data to "My-Chargeable-User-Identity", and then map that to Chargeable-User-Identity only when necessary. See raddb/dictionary for how to define local attributes like this. That's right. Thanks for help, Maja Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Maja Gorecka-Wolniewicz [EMAIL PROTECTED] http://www.umk.pl/~mgw PGP key: http://www.umk.pl/~mgw/pgp_pub_key.asc Uczelniane Centrum Information & Communication InformatyczneTechnology Centre Uniwersytet Mikolaja Kopernika Nicolaus Copernicus University Coll. Maximum, pl. Rapackiego 1, 87-100 Torun, Poland tel.: +48 56-611-27-40 fax: +48 56-622-18-50 tel. kom.: +48-693032574 smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Support for RFC4372 (Chargeable User Identity)
Alan DeKok pisze:
Maja Wolniewicz wrote:
I'm now running freeradius from CVS
FreeRADIUS Version 2.0.1-pre
in post-auth I have:
if ("%{FreeRADIUS-Proxied-To}" == "127.0.0.1") {
if ("%{Chargeable-User-Identity}") {
Please fix this. Putting double quotes around *everything* was never
necessary, and is much less necessary in 2.0.1. See the examples from
my original message, and in "man unlang".
Thanks. Now it works.
What you want is:
if (FreeRADIUS-Proxied-To == 127.0.01) {
...
if (Chargeable-User-Identity) {
...
update reply {
Chargeable-User-Identity:="%{reply:[EMAIL PROTECTED]"
}
Huh? You're updating the reply attribute with the reply attribute?
What do you think this is doing?
Yes, I want to add current realm to reply attribute
Chargeable-User-Identity which comes form LDAP.
When Chargeable-User-Identity attribute isn't present in request I want
to remove Chargeable-User-Identity from reply.
if (Chargeable-User-Identity) {
update reply {
Chargeable-User-Identity:="%{reply:[EMAIL PROTECTED]"
}
}
else {
update reply {
Chargeable-User-Identity-="%{reply:Chargeable-User-Identity}"
}
}
What is wrong in it?
Maja
and it still doesn't work for me:
Perhaps you could explain why you think it should do *anything* useful.
when Chargeable-User-Identity in request has a nul value, I'm getting:
...
expand: %{Chargeable-User-Identity} ->
? Evaluating ("%{Chargeable-User-Identity}") -> FALSE
Update this to use my example above. See also "man unlang":
If the word 'foo' is not a quoted string, then it can be taken
as a reference to a named attribute. See "Referencing attribute
lists", below, for examples of attribute references. The condi-
tion evaluates to true if the named attribute exists.
This *is* documented. I *did* say I had updated the documentation.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Maja Gorecka-Wolniewicz [EMAIL PROTECTED]
http://www.umk.pl/~mgw
PGP key: http://www.umk.pl/~mgw/pgp_pub_key.asc
Uczelniane Centrum Information & Communication
InformatyczneTechnology Centre
Uniwersytet Mikolaja Kopernika Nicolaus Copernicus University
Coll. Maximum, pl. Rapackiego 1, 87-100 Torun, Poland
tel.: +48 56-611-27-40 fax: +48 56-622-18-50 tel. kom.: +48-693032574
smime.p7s
Description: S/MIME Cryptographic Signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Support for RFC4372 (Chargeable User Identity)
Alan DeKok pisze:
Maja Wolniewicz wrote:
According to RFC4372 CUI attribute in request can include a single NUL
character, then your test
if ("%{Chargeable-User-Identifier}") {
update reply {
Chargeable-User-Identifier =
}
}
evaluates to false.
I've fixed this in CVS head (2.0.1-pre), added better type-checking,
and removed the requirement to always convert everything to strings:
if (Chargeable-User-Identifier == "") {
...
if (Framed-IP-Address > 127.0.0.1) {
...
~200 lines of code: big administrator happiness. :)
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I'm now running freeradius from CVS
FreeRADIUS Version 2.0.1-pre
in post-auth I have:
if ("%{FreeRADIUS-Proxied-To}" == "127.0.0.1") {
if ("%{Chargeable-User-Identity}") {
update reply {
Chargeable-User-Identity:="%{reply:[EMAIL PROTECTED]"
}
}
else {
update reply {
Chargeable-User-Identity-="%{reply:Chargeable-User-Identity}"
}
}
}
and it still doesn't work for me:
when Chargeable-User-Identity in request has a nul value, I'm getting:
++? if ("%{FreeRADIUS-Proxied-To}" == "127.0.0.1")
expand: %{FreeRADIUS-Proxied-To} -> 127.0.0.1
? Evaluating ("%{FreeRADIUS-Proxied-To}" == "127.0.0.1") -> TRUE
++? if ("%{FreeRADIUS-Proxied-To}" == "127.0.0.1") -> TRUE
++- entering if ("%{FreeRADIUS-Proxied-To}" == "127.0.0.1")
+++? if ("%{Chargeable-User-Identity}")
expand: %{Chargeable-User-Identity} ->
? Evaluating ("%{Chargeable-User-Identity}") -> FALSE
+++? if ("%{Chargeable-User-Identity}") -> FALSE
+++- entering else else
expand: %{reply:Chargeable-User-Identity} ->
when Chargeable-User-Identity in request is AAA
++? if ("%{FreeRADIUS-Proxied-To}" == "127.0.0.1") -> TRUE
++- entering if ("%{FreeRADIUS-Proxied-To}" == "127.0.0.1")
+++? if ("%{Chargeable-User-Identity}")
expand: %{Chargeable-User-Identity} -> AAA
? Evaluating ("%{Chargeable-User-Identity}") -> TRUE
+++? if ("%{Chargeable-User-Identity}") -> TRUE
+++- entering if ("%{Chargeable-User-Identity}")
expand: %{reply:[EMAIL PROTECTED] -> [EMAIL PROTECTED]
Maja
--
Maja Gorecka-Wolniewicz [EMAIL PROTECTED]
http://www.umk.pl/~mgw
PGP key: http://www.umk.pl/~mgw/pgp_pub_key.asc
Uczelniane Centrum Information & Communication
InformatyczneTechnology Centre
Uniwersytet Mikolaja Kopernika Nicolaus Copernicus University
Coll. Maximum, pl. Rapackiego 1, 87-100 Torun, Poland
tel.: +48 56-611-27-40 fax: +48 56-622-18-50 tel. kom.: +48-693032574
smime.p7s
Description: S/MIME Cryptographic Signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Support for RFC4372 (Chargeable User Identity)
Alan DeKok pisze:
Stefan Winter wrote:
(2.1)
If a home RADIUS server that supports the CUI attribute receives an
Access-Request packet containing a CUI (set to nul or otherwise), it
MUST include the CUI attribute in the Access-Accept packet.
That can be done via policy logic in "unlang".
if ("%{Chargeable-User-Identifier}") {
update reply {
Chargeable-User-Identifier =
}
}
According to RFC4372 CUI attribute in request can include a single NUL
character, then your test
if ("%{Chargeable-User-Identifier}") {
update reply {
Chargeable-User-Identifier =
}
}
evaluates to false.
The only way I've found to handle such a situation (nul CUI or CUI!="")
is to check the total number of attributes of the name
Chargeable-User-Identifier, when this number is not 0 then the CUI is set:
if ("%{Chargeable-User-Identifier[#]}" > 0) {
update reply {
Chargeable-User-Identifier =
}
}
Maja Gorecka-Wolniewicz
--
Maja Gorecka-Wolniewicz [EMAIL PROTECTED]
http://www.umk.pl/~mgw
PGP key: http://www.umk.pl/~mgw/pgp_pub_key.asc
Uczelniane Centrum Information & Communication
InformatyczneTechnology Centre
Uniwersytet Mikolaja Kopernika Nicolaus Copernicus University
Coll. Maximum, pl. Rapackiego 1, 87-100 Torun, Poland
tel.: +48 56-611-27-40 fax: +48 56-622-18-50 tel. kom.: +48-693032574
smime.p7s
Description: S/MIME Cryptographic Signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
