Re: Certificate Properties.
Appears that I have something working now. Here is what I have so far. Enjoy. *** src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c.OEM 2008-04-30 14:46:28.0 -0400 --- src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c 2008-05-06 14:03:58.0 -0400 *** *** 794,799 --- 794,820 /* * Success: Return MPPE keys. */ + X509 * client_cert; + client_cert = SSL_get_peer_certificate(tls_session-ssl); + + long serialNumber = ASN1_INTEGER_get(X509_get_serialNumber(client_cert)); + char serial_str[64]; + serial_str[0]='\0'; + sprintf(serial_str, %ld, serialNumber); + + VALUE_PAIR *vp; + vp=pairmake(FreeRADIUS-Cert-Serial, serial_str, T_OP_SET); + if (!vp) { + DEBUG( rlm_eap_tls: Failed to create attribute %s: %s\n, + FreeRADIUS-Cert-Serial, librad_errstr); + } + else { + DEBUG2(Adding Cert SN to request - %s, serial_str); + pairadd(handler-request-packet-vps, vp); + DEBUG2(Added Cert SN to request); + } + + eaptls_success(handler-eap_ds, 0); eaptls_gen_mppe_keys(handler-request-reply-vps, tls_session-ssl, and a small change to the dictionary... *** share/dictionary.freeradius.OEM 2008-05-06 14:17:43.0 -0400 --- share/dictionary.freeradius 2008-05-06 14:20:41.0 -0400 *** *** 14,18 --- 14,19 BEGIN-VENDOR FreeRADIUS ATTRIBUTE FreeRADIUS-Proxied-To 1 ipaddr + ATTRIBUTE FreeRADIUS-Cert-Serial 2 integer END-VENDOR FreeRADIUS On Mon, May 5, 2008 at 2:54 PM, Alan DeKok [EMAIL PROTECTED] wrote: Andrew Olson wrote: You still haven't indicated why the perl module isn't running after eap. If I put it before eap in the config, the module runs. After eap, you can see from the trace that it doesn't run. Yes. The eap module returns handled, which means not authenticated yet, send Access-Challenge. If you want your module to run only when the user is authenticated, you need to run it when the eap module returns ok. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Certificate Properties.
Is it safe to assume that the config below is correct? If so, is FR just not behaving in the manner that I expect. Thanks, Andrew On Fri, May 2, 2008 at 3:31 PM, Andrew Olson [EMAIL PROTECTED] wrote: On Fri, May 2, 2008 at 2:47 PM, Alan DeKok [EMAIL PROTECTED] wrote: Andrew Olson wrote: I would like to have my Perl authenticate method called after eaptls_process is done. I gather that since eap returns handled that no more processing is done. I'm pretty sure that I have Perl configured correctly, since it gets called on other requests. Am I missing something? If I ever get this working, I'll post the patch. You should run the Perl module in the authenticate section, after the EAP module is called. This is what my authenticate section looks like. Should it be different? authenticate { # MSCHAP authentication. Auth-Type MS-CHAP { mschap } Auth-Type EAP { eap perl } } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Certificate Properties.
Andrew Olson wrote: Is it safe to assume that the config below is correct? If so, is FR just not behaving in the manner that I expect. I suggest tracing execution to see what it's doing, and why. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Certificate Properties.
On Mon, May 5, 2008 at 9:48 AM, Alan DeKok [EMAIL PROTECTED] wrote: Andrew Olson wrote: Is it safe to assume that the config below is correct? If so, is FR just not behaving in the manner that I expect. I suggest tracing execution to see what it's doing, and why. Here is the pertinent part of the trace output. As you can see I am able to parse the Cert SN and put it back on the request. However, my perl module never gets called in authenticate. Is this because eap returns handled? If not, is this a bug/feature? Maybe someone can explain. Thanks again, Andrew Waking up in 4.6 seconds. User-Name = anolson Framed-MTU = 1400 Called-Station-Id = 0017.0fdf.c600 Calling-Station-Id = 0018.deb3.5e5c Cisco-AVPair = ssid=ANDREW_LAN Service-Type = Login-User Message-Authenticator = 0x3eddf4e0408c74279b1bf0c90f17d90c EAP-Message = 0x020801280d00d40ed095ff30488b586a8ceda5f92ef0a9cb51fac92f1ac7dee807869e29da4df971734059acf05406af3ddc8df4153cba5ce44750c9343405bded491bb993ad2241d2d89a6f281e0f32d77cfb60219bf451ddd3d677bbfb8038767d7bc2d31e30e9db8d78eb26fcf56e7ff84ee52fd8870f8200808b818f98f4b3cabdfc728e5666909742b8712f4584fb7d84863013462e11df9f4eed72584484e4670c0d65e0ee8a14ef9f85e07bc1d9df34bb47e5e1f43a27f625ffaa284c114edcb1727b0363d55205f350742de73c34533eddab02fcd5c2fc91e8fa0642e183343c879c4013621e96fa25b365a788b86b3d8ab6ddfbce28df EAP-Message = 0x140301000101160301002038b4b73a0064fffa192447f8343e4db08cfbb94092e8c7824af742a89102dc98 NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = 21961 NAS-Port = 21961 State = 0x20bb0b6025b30687e24095e89d3b3f84 NAS-IP-Address = 128.173.9.86 NAS-Identifier = [EMAIL PROTECTED] +- entering group authorize ++[mschap] returns noop rlm_eap: EAP packet type response id 8 length 253 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated rad_check_password: Found Auth-Type EAP auth: type EAP +- entering group EAP rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake rlm_eap_tls: TLS 1.0 Handshake [length 0afa], Certificate chain-depth=2, error=0 -- User-Name = anolson -- BUF-Name = ô?ηf$Å¿??Å¿ý?Á·?Å¿h?Å¿f$Å¿?%Å¿ô?η?Å¿h?Å¿(?Å¿ô¤À·?Å¿?!???%Å¿h?Å¿ -- subject = /DC=edu/DC=vt/DC=cns/C=US/ST=Virginia/L=Blacksburg/O=Virginia Tech Communications Network Services/OU=Research and Development Root CA -- issuer = /DC=edu/DC=vt/DC=cns/C=US/ST=Virginia/L=Blacksburg/O=Virginia Tech Communications Network Services/OU=Research and Development Root CA -- verify return:1 chain-depth=1, error=0 -- User-Name = anolson -- BUF-Name = ô?ηf$Å¿??Å¿ý?Á·?Å¿h?Å¿f$Å¿?%Å¿ô?η?Å¿h?Å¿(?Å¿ô¤À·?Å¿?!???%Å¿h?Å¿ -- subject = /C=US/ST=Virginia/L=Blacksburg/O=Virginia Tech Communications Network Services/OU=Research and Development Remote Access CA/DC=edu/DC=vt/DC=cns/serialNumber=3 -- issuer = /DC=edu/DC=vt/DC=cns/C=US/ST=Virginia/L=Blacksburg/O=Virginia Tech Communications Network Services/OU=Research and Development Root CA -- verify return:1 Adding Cert SN to request - 1 Added Cert SN to request expand: %{User-Name} - anolson rlm_eap_tls: checking certificate CN (anolson) with xlat'ed value (anolson) chain-depth=0, error=0 -- User-Name = anolson -- BUF-Name = anolson -- subject = /CN=anolson -- issuer = /C=US/ST=Virginia/L=Blacksburg/O=Virginia Tech Communications Network Services/OU=Research and Development Remote Access CA/DC=edu/DC=vt/DC=cns/serialNumber=3 -- verify return:1 TLS_accept: SSLv3 read client certificate A rlm_eap_tls: TLS 1.0 Handshake [length 0106], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A rlm_eap_tls: TLS 1.0 Handshake [length 0086], CertificateVerify TLS_accept: SSLv3 read certificate verify A rlm_eap_tls: TLS 1.0 ChangeCipherSpec [length 0001] rlm_eap_tls: TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A rlm_eap_tls: TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A rlm_eap_tls: TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data (other): SSL negotiation finished successfully SSL Connection Established eaptls_process returned 13 ++[eap] returns handled EAP-Message = 0x010900350d80002b140301000101160301002077887a2e41256c9e6b5b1af900d1da1b0cab25ba320348e52fe15c9a5ff56437 Message-Authenticator = 0x State = 0x20bb0b6026b20687e24095e89d3b3f84 Finished request 7. Going to the next request Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Certificate Properties.
Andrew Olson wrote: Here is the pertinent part of the trace output. As you can see I am able to parse the Cert SN and put it back on the request. However, my perl module never gets called in authenticate. Is this because eap returns handled? If not, is this a bug/feature? Maybe someone can explain. It's returning handled from the authenticate section because it hasn't sent an EAP Success yet. When it sends an EAP Success packet, it returns OK from the authenticate section. You need to look at the certificate once the EAP module returns ok. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Certificate Properties.
On Mon, May 5, 2008 at 10:40 AM, Alan DeKok [EMAIL PROTECTED] wrote: Andrew Olson wrote: Here is the pertinent part of the trace output. As you can see I am able to parse the Cert SN and put it back on the request. However, my perl module never gets called in authenticate. Is this because eap returns handled? If not, is this a bug/feature? Maybe someone can explain. It's returning handled from the authenticate section because it hasn't sent an EAP Success yet. When it sends an EAP Success packet, it returns OK from the authenticate section. You need to look at the certificate once the EAP module returns ok. You still haven't indicated why the perl module isn't running after eap. If I put it before eap in the config, the module runs. After eap, you can see from the trace that it doesn't run. Thanks, Andrew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Certificate Properties.
Andrew Olson wrote: You still haven't indicated why the perl module isn't running after eap. If I put it before eap in the config, the module runs. After eap, you can see from the trace that it doesn't run. Yes. The eap module returns handled, which means not authenticated yet, send Access-Challenge. If you want your module to run only when the user is authenticated, you need to run it when the eap module returns ok. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Certificate Properties.
So, I managed to find the place where the certificate gets taken apart. I added some code to parse out the serialNumber and put it back onto the request. I'd like to be able to do some processing later with Perl. However, it appears that appears that my Perl module isn't getting called where I want it to. SSL Connection Established eaptls_process returned 13 ++[eap] returns handled EAP-Message = 0x010900350d80002b14030100010116030100202bb95c025a504e497064ffa66b4138307aa4cc22c4b46b5da74712ad8553ce74 Message-Authenticator = 0x State = 0xbe08af5fb801a2c65b78155ec5f3f1cf Finished request 7. I would like to have my Perl authenticate method called after eaptls_process is done. I gather that since eap returns handled that no more processing is done. I'm pretty sure that I have Perl configured correctly, since it gets called on other requests. Am I missing something? If I ever get this working, I'll post the patch. Thanks, Andrew Olson On Tue, Apr 29, 2008 at 3:50 AM, Alan DeKok [EMAIL PROTECTED] wrote: Andrew Olson wrote: Are there attributes available to get at properties of a certificate. I want to look at properties like Subject DN, Serial number, etc. So, somewhere in the FR config, I could do something like '%{cert-serial-number} == blah'. No. As always, patches are welcome. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Certificate Properties.
Andrew Olson wrote: I would like to have my Perl authenticate method called after eaptls_process is done. I gather that since eap returns handled that no more processing is done. I'm pretty sure that I have Perl configured correctly, since it gets called on other requests. Am I missing something? If I ever get this working, I'll post the patch. You should run the Perl module in the authenticate section, after the EAP module is called. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Certificate Properties.
On Fri, May 2, 2008 at 2:47 PM, Alan DeKok [EMAIL PROTECTED] wrote: Andrew Olson wrote: I would like to have my Perl authenticate method called after eaptls_process is done. I gather that since eap returns handled that no more processing is done. I'm pretty sure that I have Perl configured correctly, since it gets called on other requests. Am I missing something? If I ever get this working, I'll post the patch. You should run the Perl module in the authenticate section, after the EAP module is called. This is what my authenticate section looks like. Should it be different? authenticate { # MSCHAP authentication. Auth-Type MS-CHAP { mschap } Auth-Type EAP { eap perl } } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Certificate Properties.
Andrew Olson wrote: Are there attributes available to get at properties of a certificate. I want to look at properties like Subject DN, Serial number, etc. So, somewhere in the FR config, I could do something like '%{cert-serial-number} == blah'. No. As always, patches are welcome. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html