Re: Certificate Properties.
Appears that I have something working now.
Here is what I have so far. Enjoy.
*** src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c.OEM
2008-04-30 14:46:28.0 -0400
--- src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c 2008-05-06
14:03:58.0 -0400
***
*** 794,799
--- 794,820
/*
* Success: Return MPPE keys.
*/
+ X509 * client_cert;
+ client_cert = SSL_get_peer_certificate(tls_session-ssl);
+
+ long serialNumber =
ASN1_INTEGER_get(X509_get_serialNumber(client_cert));
+ char serial_str[64];
+ serial_str[0]='\0';
+ sprintf(serial_str, %ld, serialNumber);
+
+ VALUE_PAIR *vp;
+ vp=pairmake(FreeRADIUS-Cert-Serial, serial_str, T_OP_SET);
+ if (!vp) {
+ DEBUG( rlm_eap_tls: Failed to create attribute %s: %s\n,
+ FreeRADIUS-Cert-Serial, librad_errstr);
+ }
+ else {
+ DEBUG2(Adding Cert SN to request - %s, serial_str);
+ pairadd(handler-request-packet-vps, vp);
+ DEBUG2(Added Cert SN to request);
+ }
+
+
eaptls_success(handler-eap_ds, 0);
eaptls_gen_mppe_keys(handler-request-reply-vps,
tls_session-ssl,
and a small change to the dictionary...
*** share/dictionary.freeradius.OEM 2008-05-06 14:17:43.0 -0400
--- share/dictionary.freeradius 2008-05-06 14:20:41.0 -0400
***
*** 14,18
--- 14,19
BEGIN-VENDOR FreeRADIUS
ATTRIBUTE FreeRADIUS-Proxied-To 1 ipaddr
+ ATTRIBUTE FreeRADIUS-Cert-Serial 2 integer
END-VENDOR FreeRADIUS
On Mon, May 5, 2008 at 2:54 PM, Alan DeKok [EMAIL PROTECTED] wrote:
Andrew Olson wrote:
You still haven't indicated why the perl module isn't running after
eap. If I put it before eap in the config, the module runs. After
eap, you can see from the trace that it doesn't run.
Yes. The eap module returns handled, which means not authenticated
yet, send Access-Challenge.
If you want your module to run only when the user is authenticated, you
need to run it when the eap module returns ok.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Certificate Properties.
Is it safe to assume that the config below is correct? If so, is FR
just not behaving in the manner that I expect.
Thanks,
Andrew
On Fri, May 2, 2008 at 3:31 PM, Andrew Olson [EMAIL PROTECTED] wrote:
On Fri, May 2, 2008 at 2:47 PM, Alan DeKok [EMAIL PROTECTED] wrote:
Andrew Olson wrote:
I would like to have my Perl authenticate method called after
eaptls_process is done. I gather that since eap returns handled
that no more processing is done. I'm pretty sure that I have Perl
configured correctly, since it gets called on other requests. Am I
missing something? If I ever get this working, I'll post the patch.
You should run the Perl module in the authenticate section, after
the EAP module is called.
This is what my authenticate section looks like. Should it be different?
authenticate {
# MSCHAP authentication.
Auth-Type MS-CHAP {
mschap
}
Auth-Type EAP {
eap
perl
}
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Certificate Properties.
Andrew Olson wrote: Is it safe to assume that the config below is correct? If so, is FR just not behaving in the manner that I expect. I suggest tracing execution to see what it's doing, and why. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Certificate Properties.
On Mon, May 5, 2008 at 9:48 AM, Alan DeKok [EMAIL PROTECTED] wrote:
Andrew Olson wrote:
Is it safe to assume that the config below is correct? If so, is FR
just not behaving in the manner that I expect.
I suggest tracing execution to see what it's doing, and why.
Here is the pertinent part of the trace output. As you can see I am
able to parse the Cert SN and put it back on the request. However, my
perl module never gets called in authenticate. Is this because eap
returns handled? If not, is this a bug/feature? Maybe someone can
explain.
Thanks again,
Andrew
Waking up in 4.6 seconds.
User-Name = anolson
Framed-MTU = 1400
Called-Station-Id = 0017.0fdf.c600
Calling-Station-Id = 0018.deb3.5e5c
Cisco-AVPair = ssid=ANDREW_LAN
Service-Type = Login-User
Message-Authenticator = 0x3eddf4e0408c74279b1bf0c90f17d90c
EAP-Message =
0x020801280d00d40ed095ff30488b586a8ceda5f92ef0a9cb51fac92f1ac7dee807869e29da4df971734059acf05406af3ddc8df4153cba5ce44750c9343405bded491bb993ad2241d2d89a6f281e0f32d77cfb60219bf451ddd3d677bbfb8038767d7bc2d31e30e9db8d78eb26fcf56e7ff84ee52fd8870f8200808b818f98f4b3cabdfc728e5666909742b8712f4584fb7d84863013462e11df9f4eed72584484e4670c0d65e0ee8a14ef9f85e07bc1d9df34bb47e5e1f43a27f625ffaa284c114edcb1727b0363d55205f350742de73c34533eddab02fcd5c2fc91e8fa0642e183343c879c4013621e96fa25b365a788b86b3d8ab6ddfbce28df
EAP-Message =
0x140301000101160301002038b4b73a0064fffa192447f8343e4db08cfbb94092e8c7824af742a89102dc98
NAS-Port-Type = Wireless-802.11
Cisco-NAS-Port = 21961
NAS-Port = 21961
State = 0x20bb0b6025b30687e24095e89d3b3f84
NAS-IP-Address = 128.173.9.86
NAS-Identifier = [EMAIL PROTECTED]
+- entering group authorize
++[mschap] returns noop
rlm_eap: EAP packet type response id 8 length 253
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
rad_check_password: Found Auth-Type EAP
auth: type EAP
+- entering group EAP
rlm_eap: Request found, released from the list
rlm_eap: EAP/tls
rlm_eap: processing type tls
rlm_eap_tls: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
rlm_eap_tls: TLS 1.0 Handshake [length 0afa], Certificate
chain-depth=2,
error=0
-- User-Name = anolson
-- BUF-Name =
ô?ηf$Å¿??Å¿ý?Á·?Å¿h?Å¿f$Å¿?%Å¿ô?η?Å¿h?Å¿(?Å¿ô¤À·?Å¿?!???%Å¿h?Å¿
-- subject = /DC=edu/DC=vt/DC=cns/C=US/ST=Virginia/L=Blacksburg/O=Virginia
Tech Communications Network Services/OU=Research and Development Root
CA
-- issuer = /DC=edu/DC=vt/DC=cns/C=US/ST=Virginia/L=Blacksburg/O=Virginia
Tech Communications Network Services/OU=Research and Development Root
CA
-- verify return:1
chain-depth=1,
error=0
-- User-Name = anolson
-- BUF-Name =
ô?ηf$Å¿??Å¿ý?Á·?Å¿h?Å¿f$Å¿?%Å¿ô?η?Å¿h?Å¿(?Å¿ô¤À·?Å¿?!???%Å¿h?Å¿
-- subject = /C=US/ST=Virginia/L=Blacksburg/O=Virginia Tech
Communications Network Services/OU=Research and Development Remote
Access CA/DC=edu/DC=vt/DC=cns/serialNumber=3
-- issuer = /DC=edu/DC=vt/DC=cns/C=US/ST=Virginia/L=Blacksburg/O=Virginia
Tech Communications Network Services/OU=Research and Development Root
CA
-- verify return:1
Adding Cert SN to request - 1
Added Cert SN to request
expand: %{User-Name} - anolson
rlm_eap_tls: checking certificate CN (anolson) with xlat'ed value (anolson)
chain-depth=0,
error=0
-- User-Name = anolson
-- BUF-Name = anolson
-- subject = /CN=anolson
-- issuer = /C=US/ST=Virginia/L=Blacksburg/O=Virginia Tech
Communications Network Services/OU=Research and Development Remote
Access CA/DC=edu/DC=vt/DC=cns/serialNumber=3
-- verify return:1
TLS_accept: SSLv3 read client certificate A
rlm_eap_tls: TLS 1.0 Handshake [length 0106], ClientKeyExchange
TLS_accept: SSLv3 read client key exchange A
rlm_eap_tls: TLS 1.0 Handshake [length 0086], CertificateVerify
TLS_accept: SSLv3 read certificate verify A
rlm_eap_tls: TLS 1.0 ChangeCipherSpec [length 0001]
rlm_eap_tls: TLS 1.0 Handshake [length 0010], Finished
TLS_accept: SSLv3 read finished A
rlm_eap_tls: TLS 1.0 ChangeCipherSpec [length 0001]
TLS_accept: SSLv3 write change cipher spec A
rlm_eap_tls: TLS 1.0 Handshake [length 0010], Finished
TLS_accept: SSLv3 write finished A
TLS_accept: SSLv3 flush data
(other): SSL negotiation finished successfully
SSL Connection Established
eaptls_process returned 13
++[eap] returns handled
EAP-Message =
0x010900350d80002b140301000101160301002077887a2e41256c9e6b5b1af900d1da1b0cab25ba320348e52fe15c9a5ff56437
Message-Authenticator = 0x
State = 0x20bb0b6026b20687e24095e89d3b3f84
Finished request 7.
Going to the next request
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Certificate Properties.
Andrew Olson wrote: Here is the pertinent part of the trace output. As you can see I am able to parse the Cert SN and put it back on the request. However, my perl module never gets called in authenticate. Is this because eap returns handled? If not, is this a bug/feature? Maybe someone can explain. It's returning handled from the authenticate section because it hasn't sent an EAP Success yet. When it sends an EAP Success packet, it returns OK from the authenticate section. You need to look at the certificate once the EAP module returns ok. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Certificate Properties.
On Mon, May 5, 2008 at 10:40 AM, Alan DeKok [EMAIL PROTECTED] wrote: Andrew Olson wrote: Here is the pertinent part of the trace output. As you can see I am able to parse the Cert SN and put it back on the request. However, my perl module never gets called in authenticate. Is this because eap returns handled? If not, is this a bug/feature? Maybe someone can explain. It's returning handled from the authenticate section because it hasn't sent an EAP Success yet. When it sends an EAP Success packet, it returns OK from the authenticate section. You need to look at the certificate once the EAP module returns ok. You still haven't indicated why the perl module isn't running after eap. If I put it before eap in the config, the module runs. After eap, you can see from the trace that it doesn't run. Thanks, Andrew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Certificate Properties.
Andrew Olson wrote: You still haven't indicated why the perl module isn't running after eap. If I put it before eap in the config, the module runs. After eap, you can see from the trace that it doesn't run. Yes. The eap module returns handled, which means not authenticated yet, send Access-Challenge. If you want your module to run only when the user is authenticated, you need to run it when the eap module returns ok. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Certificate Properties.
So, I managed to find the place where the certificate gets taken
apart. I added some code to parse out the serialNumber and put it
back onto the request. I'd like to be able to do some processing
later with Perl. However, it appears that appears that my Perl module
isn't getting called where I want it to.
SSL Connection Established
eaptls_process returned 13
++[eap] returns handled
EAP-Message =
0x010900350d80002b14030100010116030100202bb95c025a504e497064ffa66b4138307aa4cc22c4b46b5da74712ad8553ce74
Message-Authenticator = 0x
State = 0xbe08af5fb801a2c65b78155ec5f3f1cf
Finished request 7.
I would like to have my Perl authenticate method called after
eaptls_process is done. I gather that since eap returns handled
that no more processing is done. I'm pretty sure that I have Perl
configured correctly, since it gets called on other requests. Am I
missing something? If I ever get this working, I'll post the patch.
Thanks,
Andrew Olson
On Tue, Apr 29, 2008 at 3:50 AM, Alan DeKok [EMAIL PROTECTED] wrote:
Andrew Olson wrote:
Are there attributes available to get at properties of a certificate.
I want to look at properties like Subject DN, Serial number, etc.
So, somewhere in the FR config, I could do something like
'%{cert-serial-number} == blah'.
No. As always, patches are welcome.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Certificate Properties.
Andrew Olson wrote: I would like to have my Perl authenticate method called after eaptls_process is done. I gather that since eap returns handled that no more processing is done. I'm pretty sure that I have Perl configured correctly, since it gets called on other requests. Am I missing something? If I ever get this working, I'll post the patch. You should run the Perl module in the authenticate section, after the EAP module is called. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Certificate Properties.
On Fri, May 2, 2008 at 2:47 PM, Alan DeKok [EMAIL PROTECTED] wrote:
Andrew Olson wrote:
I would like to have my Perl authenticate method called after
eaptls_process is done. I gather that since eap returns handled
that no more processing is done. I'm pretty sure that I have Perl
configured correctly, since it gets called on other requests. Am I
missing something? If I ever get this working, I'll post the patch.
You should run the Perl module in the authenticate section, after
the EAP module is called.
This is what my authenticate section looks like. Should it be different?
authenticate {
# MSCHAP authentication.
Auth-Type MS-CHAP {
mschap
}
Auth-Type EAP {
eap
perl
}
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Certificate Properties.
Andrew Olson wrote:
Are there attributes available to get at properties of a certificate.
I want to look at properties like Subject DN, Serial number, etc.
So, somewhere in the FR config, I could do something like
'%{cert-serial-number} == blah'.
No. As always, patches are welcome.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
