TLS / Certificate-Problem mit freeradius

05/01/2013 - 02:53 von usenet-reply | Report spam
Moin, moin,

ist hier jemand, der sich mit freeradius und openssl-Zertifikaten
auskennt?

Oder könnte man mir eine andere, ggf. auch englischsprachige Gruppe
empfehlen?


Mein Problem:


Vorgeschichte:

Ich habe für das eisfair-Projekt (www.eisfair.org) ein Paket mit
freeradius für WLAN-Zugangsberechtigungen erstellt. Das làuft auch
vom Prinzip her wunderbar, mit user/pass-Anmeldung aber auch mit
Zertifikaten.

Es kommt seit einigen Wochen die aktuelle freeradius Version 2.2.0
zum Einsatz. Ohne Probleme.

Über den Jahreswechsel wurden bei eisfair insbesondere einige
Library-Pakete (libssl, libltdl, ...) erneuert. Nach dessen
Installation kann ich mich nicht mehr mit Zertifikaten am WLAN
anmelden, user/pass geht weiterhin.

Ich habe dann auch schon freeradius auf der Maschine mit den neuen
Libs übersetzt, nach entsprechendem Hinweis auch erstmals mit
folgenden Kommandos:


| in configure.in muss folgende Zeile hinzugefuegt werden
| AC_CONFIG_MACRO_DIR([m4])

make clean
autoreconf --force --install
./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var --libdir=/usr/lib --with-system-lib
ltdl --with-system-libtool
make
R=/data/my-develop-zone/freeradius-projekt/freeradius-2.2.0-package make install

(Danach wurde daraus noch wie immer auf diesem System ein
eisfair-Paket gebacken, und dann sind die Dateien natürlich alle an
die richtige Stell und nicht mehr in diesem R=xx-Verzeichnis
gelandet)




Aber es bleibt bei meinem Problem - siehe der passend(?) gekürzte
debug-output - mit genau diesen Zertifikaten und ohne jede Änderung
an freeradius funktionieren der Zugang nicht mehr. Und die
Zertifikate sind natürlich auch alle noch gültig.


(BTW, was ist denn dieses client certificate B?)
(BTW2, gibt es in den radius-Debug-ouputs irgendwelche Stellen, die
ich aus Sicherheitsgründen geheim halten sollte? Irgendwas, womit auf
verwendete Schlüssel etc. rückgefolgert werden könnte?)


Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.x.x port 2049, id=2, length1
User-Name = "User Name"
NAS-IP-Address = 192.168.x.x

# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "User Name", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 0 length 19
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry User Name at line 8
[files] expand: Hello, %{User-Name} -> Hello, User Name
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled

[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/tls
[eap] processing type tls
[tls] Requiring client certificate
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 2 to 192.168.x.x port 2049
Reply-Message = "Hello, User Name"
EAP-Message = 0x010200060d20
Message-Authenticator = 0x00000000000000000000000000xx
State = 0x7d1f9f227c1d92c8e39xxxxxxxxx
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.x.x port 2049, id=2, length"7

[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry User Name at line 8
[files] expand: Hello, %{User-Name} -> Hello, User Name
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
TLS Length 77
[tls] Length Included
[tls] eaptls_verify returned 11
[tls] (other): before/accept initialization
[tls] TLS_accept: before/accept initialization
[tls] <<< TLS 1.0 Handshake [length 0048], ClientHello
[tls] TLS_accept: SSLv3 read client hello A
[tls] >>> TLS 1.0 Handshake [length 0031], ServerHello
[tls] TLS_accept: SSLv3 write server hello A
[tls] >>> TLS 1.0 Handshake [length 08bb], Certificate
[tls] TLS_accept: SSLv3 write certificate A
[tls] >>> TLS 1.0 Handshake [length 00b8], CertificateRequest
[tls] TLS_accept: SSLv3 write certificate request A
[tls] TLS_accept: SSLv3 flush data
[tls] TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[tls] eaptls_process returned 13
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
TLS Length 77
[tls] Length Included
[tls] eaptls_verify returned 11
[tls] (other): before/accept initialization
[tls] TLS_accept: before/accept initialization
[tls] <<< TLS 1.0 Handshake [length 0048], ClientHello
[tls] TLS_accept: SSLv3 read client hello A
[tls] >>> TLS 1.0 Handshake [length 0031], ServerHello
[tls] TLS_accept: SSLv3 write server hello A
[tls] >>> TLS 1.0 Handshake [length 08bb], Certificate
[tls] TLS_accept: SSLv3 write certificate A
[tls] >>> TLS 1.0 Handshake [length 00b8], CertificateRequest
[tls] TLS_accept: SSLv3 write certificate request A
[tls] TLS_accept: SSLv3 flush data
[tls] TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[tls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 2 to 192.168.x.x port 2049
Reply-Message = "Hello, User Name"
EAP-Message = 0x010304000dc0000009b316030100310200002d030150e4ae0ed21d8
EAP-Message = 0x3017060355040313104d616e736b6520526164697573204341301e1
EAP-Message = 0xce7ab5f8c7edc84656371d677436108b21313e1ea308f55566b8684
EAP-Message = 0x25040c300a06082b06010505070301300d06092a864886f70d01010
EAP-Message = 0xb12f24c809d9d
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x7d1f9f227f1c92c8e3xxxxxx
Finished request 2.
Going to the next request

[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated

Sending Access-Challenge of id 2 to 192.168.x.x port 2049
Reply-Message = "Hello, User Name"
EAP-Message = 0x010404000dc0000009b3301
EAP-Message = 0x3130323136313231325a17:
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] Received TLS ACK
[tls] ACK handshake fragment handler
[tls] eaptls_verify returned 1
[tls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 2 to 192.168.x.x port 2049
Reply-Message = "Hello, User Name"
EAP-Message = 0x010404000dc0000009bxxxxxx
EAP-Message = 0xfdf4cec951566e50d17
EAP-Message = 0xca21c0f495c75a3a13d
EAP-Message = 0x01ff300d06092a86488
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x7d1f9f227e1b92c8e39
Finished request 3.
Going to the next request

usw.



und hier scheint es spannend zu werden:



# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] eaptls_verify returned 7
[tls] Done initial handshake
[tls] <<< TLS 1.0 Handshake [length 03de], Certificate
[tls] chain-depth=1,
[tls] error=0
[tls] --> User-Name = User Name
[tls] --> BUF-Name = Radius CA
[tls] --> subject = /CÞ/ST=Somewhere/L=Somewhere/O=Manske EIS/OU=Radius_Managment/emailAddress=radius@xxxx
[tls] --> issuer = /CÞ/ST=Somewhere/L=Somewhere/O=Manske EIS/OU=Radius_Managment/emailAddress=radius@xxxx
[tls] --> verify return:1
[tls] >>> TLS 1.0 Alert [length 0002], fatal decrypt_error
TLS Alert write:fatal:decrypt error
TLS_accept: error in SSLv3 read client certificate B
rlm_eap: SSL error error:04067084:rsa routines:RSA_EAY_PUBLIC_DECRYPT:data too large for modulus
SSL: SSL_read failed inside of TLS (-1), TLS session fails.
TLS receive handshake failed during operation
[tls] eaptls_process returned 4
[eap] Handler failed in EAP/tls
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Login incorrect (certificate signature failure): [User Name/<via Auth-Type = EAP>] (from client xxxx
Using Post-Auth-Type REJECT
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> User Name
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 6 for 2 seconds
Going to the next request
Waking up in 0.9 seconds.
Waking up in 0.9 seconds.
Sending delayed reject for request 6
Sending Access-Reject of id 2 to 192.168.x.x port 2049






Ciao, Stephan

E-Mail: stephan@manske-net.de - WWW: http://stephan.manske-net.de/ //
PGP 2.6.3i \X/
Famous last words des
Bastlers: Das muesste halten.
 

Lesen sie die antworten

#1 usenet-reply
20/01/2013 - 03:26 | Warnen spam
/me schrieb:

ist hier jemand, der sich mit freeradius und openssl-Zertifikaten
auskennt?

Oder könnte man mir eine andere, ggf. auch englischsprachige Gruppe
empfehlen?



Da ja leider niemand helfen konnte: Irgendeine Idee, wo ich noch
fragen könnte?



Ciao, Stephan

E-Mail: - WWW: http://stephan.manske-net.de/ //
PGP 2.6.3i \X/
Famous last words des
Chemikers: Muss das warm werden?

Ähnliche fragen