subject:"CN check against User Name \- EAP\-TLS"

CN check against User Name - EAP-TLS

2004-06-18 Thread pouet

Hi,
I try to use the "check_cert_cn = %{User-Name}" option in the tls 
section of eap.conf. It's not working and still the user's certificate 
is ok, freeradius accept him whatever he typed in the User-Name field 
who is responded after an eap-request-ID message. Is there here someone 
who is using this option with more luck? My goal is to give differents 
privilege to users in function of their CN (now it is CN, but DN or mail 
adress are possible alternative?), for this freeradius must match a user 
name in the users file and to make impossible for a trusted user (who 
own a good certificate for the network) to use privilege of another 
user, I must use this option. Tell me if i'm wrong on this.
I have searched but only found an old patch (didn't try it) from Michael 
Griego on Nov2003 and an unanswered message from Anthony Lopez on May 
2004. Any clue?
thanks

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: CN check against User Name - EAP-TLS

2004-06-18 Thread Michael Griego

Do you have any debugging output to show for when it should allow the
user and when it shouldn't allow the user?

--Mike


On Fri, 2004-06-18 at 05:34, pouet wrote:
> Hi,
> I try to use the "check_cert_cn = %{User-Name}" option in the tls 
> section of eap.conf. It's not working and still the user's certificate 
> is ok, freeradius accept him whatever he typed in the User-Name field 
> who is responded after an eap-request-ID message. Is there here someone 
> who is using this option with more luck? My goal is to give differents 
> privilege to users in function of their CN (now it is CN, but DN or mail 
> adress are possible alternative?), for this freeradius must match a user 
> name in the users file and to make impossible for a trusted user (who 
> own a good certificate for the network) to use privilege of another 
> user, I must use this option. Tell me if i'm wrong on this.
> I have searched but only found an old patch (didn't try it) from Michael 
> Griego on Nov2003 and an unanswered message from Anthony Lopez on May 
> 2004. Any clue?
> thanks
> 
> 
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: CN check against User Name - EAP-TLS (pouet - debugging output)

2004-06-18 Thread pouet

Hi,
Subject: Re: CN check against User Name - EAP-TLS
From: Michael Griego <[EMAIL PROTECTED]>
Date: Fri, 18 Jun 2004 05:55:21 -0500
Do you have any debugging output to show for when it should allow the
user and when it shouldn't allow the user?
--Mike

Ok, thanks for support, here is debugging stuff (tried to make it the 
less noisy as possible):

1. From radiusd.log
Fri Jun 18 15:06:34 2004 : Info: rlm_eap_tls:  Length Included
Fri Jun 18 15:06:34 2004 : Error: TLS_accept:error in SSLv3 read client certificate A
Fri Jun 18 15:06:34 2004 : Info: rlm_eap_tls: Received EAP-TLS ACK message
Fri Jun 18 15:06:35 2004 : Info: rlm_eap_tls:  Received EAP-TLS First Fragment of the message
Fri Jun 18 15:06:35 2004 : Auth: rlm_eap_tls: Certificate CN (Surname Name) does not match specified value (nimp)!
Fri Jun 18 15:06:35 2004 : Info: (other): SSL negotiation finished successfully 
Fri Jun 18 15:06:35 2004 : Info: rlm_eap_tls: Received EAP-TLS ACK message
Fri Jun 18 15:06:35 2004 : Auth: Login OK: [nimp/] (from client HP2626 port 3 cli 00-d0-59-7a-b6-81)

2. From replydetail:
Packet-Type = Access-Accept
Fri Jun 18 15:06:35 2004
Framed-IP-Address = 255.255.255.254
Framed-MTU = 576
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-Compression = Van-Jacobson-TCP-IP
MS-MPPE-Recv-Key = 
0x459dbc226905e1ce46366fe24b1a0affac11b941c2bf7a28efb785299a652143
MS-MPPE-Send-Key = 
0x6429091bd04c8d083fd38784facb13cdf002376246167642da105cc6bfa60b01
EAP-Message = 0x03790004
Message-Authenticator = 0x
User-Name = "nimp"
   *
Here we can see that the user "nimp" is unknow from the users files and 
is not matching with the CN of the certificate he supplied. However 
freeradius accept him and use the default account in the users file. 
(there is something strange with the ssl error, I can't deal with this)

Now a login attempt with the right username (ie equals the CN):
1. From radiusd.log
Fri Jun 18 15:36:04 2004 : Info: rlm_eap_tls:  Length Included
Fri Jun 18 15:36:04 2004 : Error: TLS_accept:error in SSLv3 read client certificate A 
Fri Jun 18 15:36:04 2004 : Info: rlm_eap_tls: Received EAP-TLS ACK message
Fri Jun 18 15:36:04 2004 : Info: rlm_eap_tls:  Received EAP-TLS First Fragment of the message
Fri Jun 18 15:36:04 2004 : Info: (other): SSL negotiation finished successfully 
Fri Jun 18 15:36:04 2004 : Info: rlm_eap_tls: Received EAP-TLS ACK message
Fri Jun 18 15:36:04 2004 : Auth: Login OK: [Surname Name/] (from client HP2626 port 3 cli 00-d0-59-7a-b6-81)

2. From replydetail:
Packet-Type = Access-Accept
Fri Jun 18 15:36:04 2004
Reply-Message = "Hello"
MS-MPPE-Recv-Key = 
0xaae75fffd314a20444df5348b008290cbeb5c73935a110fdfdd5b978d4af102e
MS-MPPE-Send-Key = 
0x016156318c111b228b0450f01d614609bb0b38c3aa92840edbf28a63a0182b14
EAP-Message = 0x038b0004
Message-Authenticator = 0x
User-Name = "Surname Name"
   *
And finally a login attempt with a wrong certificate who is correctly 
rejected:

Fri Jun 18 15:54:00 2004 : Info: rlm_eap_tls:  Length Included
Fri Jun 18 15:54:00 2004 : Error: TLS_accept:error in SSLv3 read client certificate A 
Fri Jun 18 15:54:00 2004 : Info: rlm_eap_tls: Received EAP-TLS ACK message
Fri Jun 18 15:54:00 2004 : Info: rlm_eap_tls:  Received EAP-TLS First Fragment of the message
Fri Jun 18 15:54:00 2004 : Error: --> verify error:num=20:unable to get local issuer certificate 
Fri Jun 18 15:54:00 2004 : Auth: rlm_eap_tls: Certificate CN (test) does not match specified value (Surname Name)!
Fri Jun 18 15:54:00 2004 : Error: TLS Alert write:fatal:unknown CA 
Fri Jun 18 15:54:00 2004 : Error: TLS_accept:error in SSLv3 read client certificate B 
Fri Jun 18 15:54:00 2004 : Error: rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails.
Fri Jun 18 15:54:00 2004 : Info: rlm_eap_tls: Received EAP-TLS ACK message
Fri Jun 18 15:54:00 2004 : Auth: Login incorrect: [Surname Name/] (from client HP2626 port 3 cli 00-d0-59-7a-b6-81)

Am I missing something? Do you need more or/and different output?
thanks
On Fri, 2004-06-18 at 05:34, pouet wrote:

Hi,
I try to use the "check_cert_cn = %{User-Name}" option in the tls 
section of eap.conf. It's not working and still the user's certificate 
is ok, freeradius accept him whatever he typed in the User-Name field 
who is responded after an eap-request-ID message. Is there here someone 
who is using this option with more luck? My goal is to give differents 
privilege to users in function of their CN (now it is CN, but DN or mail 
adress are possible alternative?), for this freeradius must match a user 
name in the users file and to make impossible for a trusted user

Re: CN check against User Name - EAP-TLS (pouet - debugging output)

2004-06-18 Thread Michael Griego

Which version of the server are you using?  You should be using a CVS
snapshot from at least this month.  There was a fix applied in late May
to correct a problem with this behavior.  Try giving 1.0.0-pre3 a try
when it comes out later today.


-- 

--Mike
 
--
Michael Griego
Wireless LAN Project Manager
The University of Texas at Dallas


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

CN check against User Name - EAP-TLS

Re: CN check against User Name - EAP-TLS

Re: CN check against User Name - EAP-TLS (pouet - debugging output)

Re: CN check against User Name - EAP-TLS (pouet - debugging output)

4 matches

Site Navigation

Mail list logo

Footer information