Issue #963
Updated by Tobias Brunner over 10 years ago
I am trying to integrate Strongswan xauth-eap/eap-ttls with FreeRadius.
Strongwan is configured with *rightauth2=xauth-eap*.
*Logs from Strongswan:*
<pre>
May 21 09:22:01 localhost charon: 15[CFG] sending RADIUS Access-Request to server 'server-a'
May 21 09:22:01 localhost charon: 15[CFG] received RADIUS Access-Challenge from server 'server-a'
May 21 09:22:01 localhost charon: 15[TLS] EAP_TTLS version is v0
May 21 09:22:01 localhost charon: 15[CFG] sending RADIUS Access-Request to server 'server-a'
May 21 09:22:01 localhost charon: 15[CFG] received RADIUS Access-Challenge from server 'server-a'
May 21 09:22:01 localhost charon: 15[TLS] negotiated TLS 1.0 using suite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
May 21 09:22:01 localhost charon: 15[CFG] sending RADIUS Access-Request to server 'server-a'
May 21 09:22:01 localhost charon: 15[CFG] received RADIUS Access-Challenge from server 'server-a'
May 21 09:22:01 localhost charon: 15[TLS] server *server certificate does not match to 'moon.int.XX.au' 'moon.int.XX.au*'
May 21 09:22:01 localhost charon: 15[TLS] sending fatal TLS alert 'access denied'
May 21 09:22:01 localhost charon: 15[CFG] sending RADIUS Access-Request to server 'server-a'
May 21 09:22:02 localhost charon: 15[CFG] received RADIUS Access-Reject from server 'server-a'
May 21 09:22:02 localhost charon: 15[IKE] RADIUS authentication of 'xx.xx' failed
May 21 09:22:02 localhost charon: 15[IKE] XAuth authentication of 'xx.xx' failed
May 21 09:22:02 localhost charon: 15[ENC] generating TRANSACTION request 723118549 [ HASH CPS(X_STATUS) ]
May 21 09:22:02 localhost charon: 15[NET] sending packet: from 55.55.55.55[500] to 10.8.0.41[500] (76 bytes)
May 21 09:22:02 localhost charon: 16[NET] received packet: from 10.8.0.41[500] to 55.55.55.55[500] (92 bytes)
May 21 09:22:02 localhost charon: 16[ENC] parsed TRANSACTION response 723118549 [ HASH CPA(X_STATUS) ]
May 21 09:22:02 localhost charon: 16[IKE] destroying IKE_SA after failed XAuth authentication
</pre>
*Logs from FreeRadius:*
<pre>
Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
TLS Length 7
[ttls] Length Included
[ttls] eaptls_verify returned 11
[ttls] *[ttls] <<< TLS 1.0 Alert [length 0002], fatal access_denied
TLS Alert read:fatal:access denied
TLS_accept: failed in SSLv3 read client certificate A
rlm_eap: SSL error error:14094419:SSL routines:SSL3_READ_BYTES:tlsv1 alert access denied
SSL: SSL_read failed inside of TLS (-1), TLS session fails.
TLS receive handshake failed during operation operation*
[ttls] eaptls_process returned 4
[eap] Handler failed in EAP/ttls
[eap] Failed in EAP select
++[eap] = invalid
+} # group authenticate = invalid
Failed to authenticate the user.
Login incorrect (TLS Alert read:fatal:access denied): [xx.xx/<via Auth-Type = EAP>] (from client localhost port 2 cli 10.8.0.41[500])
Using Post-Auth-Type Reject
Executing group from file /etc/freeradius/sites-enabled/default
+group REJECT {
[attr_filter.access_reject] expand: %{User-Name} -> xx.xx
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
Delaying reject of request 3 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 3
Sending Access-Reject of id 45 to 127.0.0.1 port 49366
EAP-Message = 0x04030004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.
Cleaning up request 0 ID 42 with timestamp +6
Cleaning up request 1 ID 43 with timestamp +6
Cleaning up request 2 ID 44 with timestamp +6
Waking up in 0.9 seconds.
Cleaning up request 3 ID 45 with timestamp +6
Ready to process requests.
</pre>
I was thinking that the problem was on the FR side and I even posted to FR mail list http://freeradius.1045715.n5.nabble.com/ttls-lt-lt-lt-Unknown-TLS-version-length-0002-td5734046.html They claim that this is some OpenSSL issue. I use OpenSSL 1.0.1f. It is worth to mention that both FR and Strongswan are installed and were compiled on the same machine. I also tried to set *aaa_identity* to equal the vaule from the subject name cert used by FR.
Can you provide some clue?
Strongwan is configured with *rightauth2=xauth-eap*.
*Logs from Strongswan:*
<pre>
May 21 09:22:01 localhost charon: 15[CFG] sending RADIUS Access-Request to server 'server-a'
May 21 09:22:01 localhost charon: 15[CFG] received RADIUS Access-Challenge from server 'server-a'
May 21 09:22:01 localhost charon: 15[TLS] EAP_TTLS version is v0
May 21 09:22:01 localhost charon: 15[CFG] sending RADIUS Access-Request to server 'server-a'
May 21 09:22:01 localhost charon: 15[CFG] received RADIUS Access-Challenge from server 'server-a'
May 21 09:22:01 localhost charon: 15[TLS] negotiated TLS 1.0 using suite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
May 21 09:22:01 localhost charon: 15[CFG] sending RADIUS Access-Request to server 'server-a'
May 21 09:22:01 localhost charon: 15[CFG] received RADIUS Access-Challenge from server 'server-a'
May 21 09:22:01 localhost charon: 15[TLS] server *server certificate does not match to 'moon.int.XX.au' 'moon.int.XX.au*'
May 21 09:22:01 localhost charon: 15[TLS] sending fatal TLS alert 'access denied'
May 21 09:22:01 localhost charon: 15[CFG] sending RADIUS Access-Request to server 'server-a'
May 21 09:22:02 localhost charon: 15[CFG] received RADIUS Access-Reject from server 'server-a'
May 21 09:22:02 localhost charon: 15[IKE] RADIUS authentication of 'xx.xx' failed
May 21 09:22:02 localhost charon: 15[IKE] XAuth authentication of 'xx.xx' failed
May 21 09:22:02 localhost charon: 15[ENC] generating TRANSACTION request 723118549 [ HASH CPS(X_STATUS) ]
May 21 09:22:02 localhost charon: 15[NET] sending packet: from 55.55.55.55[500] to 10.8.0.41[500] (76 bytes)
May 21 09:22:02 localhost charon: 16[NET] received packet: from 10.8.0.41[500] to 55.55.55.55[500] (92 bytes)
May 21 09:22:02 localhost charon: 16[ENC] parsed TRANSACTION response 723118549 [ HASH CPA(X_STATUS) ]
May 21 09:22:02 localhost charon: 16[IKE] destroying IKE_SA after failed XAuth authentication
</pre>
*Logs from FreeRadius:*
<pre>
Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
TLS Length 7
[ttls] Length Included
[ttls] eaptls_verify returned 11
[ttls] *[ttls] <<< TLS 1.0 Alert [length 0002], fatal access_denied
TLS Alert read:fatal:access denied
TLS_accept: failed in SSLv3 read client certificate A
rlm_eap: SSL error error:14094419:SSL routines:SSL3_READ_BYTES:tlsv1 alert access denied
SSL: SSL_read failed inside of TLS (-1), TLS session fails.
TLS receive handshake failed during operation operation*
[ttls] eaptls_process returned 4
[eap] Handler failed in EAP/ttls
[eap] Failed in EAP select
++[eap] = invalid
+} # group authenticate = invalid
Failed to authenticate the user.
Login incorrect (TLS Alert read:fatal:access denied): [xx.xx/<via Auth-Type = EAP>] (from client localhost port 2 cli 10.8.0.41[500])
Using Post-Auth-Type Reject
Executing group from file /etc/freeradius/sites-enabled/default
+group REJECT {
[attr_filter.access_reject] expand: %{User-Name} -> xx.xx
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
Delaying reject of request 3 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 3
Sending Access-Reject of id 45 to 127.0.0.1 port 49366
EAP-Message = 0x04030004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.
Cleaning up request 0 ID 42 with timestamp +6
Cleaning up request 1 ID 43 with timestamp +6
Cleaning up request 2 ID 44 with timestamp +6
Waking up in 0.9 seconds.
Cleaning up request 3 ID 45 with timestamp +6
Ready to process requests.
</pre>
I was thinking that the problem was on the FR side and I even posted to FR mail list http://freeradius.1045715.n5.nabble.com/ttls-lt-lt-lt-Unknown-TLS-version-length-0002-td5734046.html They claim that this is some OpenSSL issue. I use OpenSSL 1.0.1f. It is worth to mention that both FR and Strongswan are installed and were compiled on the same machine. I also tried to set *aaa_identity* to equal the vaule from the subject name cert used by FR.
Can you provide some clue?