Re: EAP-TLS authentication allows me to authenticate with invalid certificate.

2010-10-13 Thread Alan DeKok 
Terry Simons wrote:
 I'm running into an issue where FreeRADIUS allows an invalid certificate (one 
 not signed by my configured CA) to successfully authenticate to EAP-TLS.

  Well... the code which prints the error verify error:num=20: is in
the verify certificate callback function.  It's returning FALSE to
OpenSSL.

  OpenSSL *should* return that error back up the call chain to the
functions in src/modules/libeap/.  They look for error returns from
OpenSSL, and stop the conversation if so.

 There's a message in the log that clearly indicates that the CA wasn't found 
 (-- verify error:num=20:unable to get local issuer certificate) , yet my 
 authentication succeeds.
 
 I'm using FreeRADIUS version 2.1.10 with a largely default configuration 
 (home-grown certificates).

  Does it fail authentication with another version of FreeRADIUS?  If
not, it's an OpenSSL problem.

 I want this authentication to fail because the certificate that the client is 
 using was not signed by the CA that I have configured with the CA_file 
 directive, therefore it should be considered an invalid EAP-TLS attempt.
 
 Has anyone seen this before?

  Nope.  I'm not a crypto person.  FreeRADIUS hands the SSL stuff to
OpenSSL, which does it's magic to verify the certs.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

EAP-TLS authentication allows me to authenticate with invalid certificate.

2010-10-12 Thread Terry Simons 
Hi,

I'm running into an issue where FreeRADIUS allows an invalid certificate (one 
not signed by my configured CA) to successfully authenticate to EAP-TLS.

There's a message in the log that clearly indicates that the CA wasn't found 
(-- verify error:num=20:unable to get local issuer certificate) , yet my 
authentication succeeds.

I'm using FreeRADIUS version 2.1.10 with a largely default configuration 
(home-grown certificates).

I want this authentication to fail because the certificate that the client is 
using was not signed by the CA that I have configured with the CA_file 
directive, therefore it should be considered an invalid EAP-TLS attempt.

Has anyone seen this before?

I couldn't find any related messages in the FreeRADIUS archive.

Thanks,

Here's the log:

rad_recv: Access-Request packet from host 192.168.19.12 port 1035, id=39, 
length=189
User-Name = AutomationUser
NAS-IP-Address = 192.168.19.12
NAS-Identifier = honeybutter
NAS-Port = 0
Called-Station-Id = 00-19-77-1F-8A-D1:HiveAP120-WPA2
Calling-Station-Id = 00-25-00-43-5E-13
Framed-MTU = 1500
NAS-Port-Type = Wireless-802.11
Connect-Info = CONNECT 11Mbps 802.11b
EAP-Message = 0x0213014175746f6d6174696f6e55736572
Message-Authenticator = 0xebf0b398f32dc38984552b06634ef90e
# Executing section authorize from file 
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = AutomationUser, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] EAP packet type response id 0 length 19
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[opendirectory] The host 192.168.19.12 does not have an access group.
++[opendirectory] returns ok
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No known good password found for the user.  Authentication may 
fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Requiring client certificate
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 39 to 192.168.19.12 port 1035
EAP-Message = 0x010100060d20
Message-Authenticator = 0x
State = 0xd2fcae5dd2fda306cc163ff247674563
Finished request 37.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.19.12 port 1035, id=40, 
length=352
User-Name = AutomationUser
NAS-IP-Address = 192.168.19.12
NAS-Identifier = honeybutter
NAS-Port = 0
Called-Station-Id = 00-19-77-1F-8A-D1:HiveAP120-WPA2
Calling-Station-Id = 00-25-00-43-5E-13
Framed-MTU = 1500
NAS-Port-Type = Wireless-802.11
Connect-Info = CONNECT 11Mbps 802.11b
EAP-Message = 
0x020100a40d80009a1603010095019103014cb5184f29200ee95888008e509e4cf7d61e39b9688acd0a179f3f12fd982b0356c00ac009c007c008c013c014c011c012c004c005c002c003c00ec00fc00cc00d002f000500040035000a000900030008000600320033003800390016001500140013001200110034003a0018001b001a0017001900010112000a00080006001700180019000b00020100
State = 0xd2fcae5dd2fda306cc163ff247674563
Message-Authenticator = 0xbaf4c3763aa24c9f8ecb1bc1695bfbe4
# Executing section authorize from file 
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = AutomationUser, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] EAP packet type response id 1 length 164
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[opendirectory] The host 192.168.19.12 does not have an access group.
++[opendirectory] returns ok
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
  TLS Length 154
[tls] Length Included
[tls] eaptls_verify returned 11 
[tls] (other): before/accept initialization
[tls] TLS_accept: before/accept initialization
[tls]  TLS 1.0 Handshake [length 0095], ClientHello  
[tls] TLS_accept: SSLv3 read client hello A
[tls]  TLS 1.0 Handshake [length 002a], ServerHello  
[tls] TLS_accept: SSLv3 write server hello A
[tls]  TLS 1.0 Handshake [length 069f], Certificate  
[tls] TLS_accept: SSLv3 write certificate A
[tls]