Discussion:
EAP-TLS failure
Stephen
2018-10-17 22:30:05 UTC
Permalink
Hi all- trying to understand a particular failure/error. I've been using
dd-wrt, freeradius and strongswan together for almost a year (mostly)
without issue. Freeradius provides my eap-tls functionality passed
either through the wifi router (dd-wrt) or VPN (strongswan). Recently my
macbook was upgraded to MacOS Mojave and I appear to no longer auth to
wireless with the same cert. The cert still works for strongswan auth.

Below are my logs for either scenario:

[dd-wrt client auth failure]

(993) eap: Expiring EAP session with state 0xaa3880f3ad308d40
(993) eap: Finished EAP session with state 0xaa3880f3ad308d40
(993) eap: Previous EAP request found for state 0xaa3880f3ad308d40,
released from the list
(993) eap: Peer sent packet with method EAP TLS (13)
(993) eap: Calling submodule eap_tls to process data
(993) eap_tls: Continuing EAP-TLS
(993) eap_tls: Peer indicated complete TLS record size will be 7 bytes
(993) eap_tls: Got complete TLS record (7 bytes)
(993) eap_tls: [eaptls verify] = length included
(993) eap_tls: <<< recv TLS 1.2  [length 0002]
(993) eap_tls: ERROR: TLS_accept: Failed in SSLv3 read client certificate A
(993) eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read):
error:140350E5:SSL routines:ACCEPT_SR_CERT:ssl handshake failure
(993) eap_tls: ERROR: System call (I/O) error (-1)
(993) eap_tls: ERROR: TLS receive handshake failed during operation
(993) eap_tls: ERROR: [eaptls process] = fail
(993) eap: ERROR: Failed continuing EAP TLS (13) session.  EAP
sub-module failed
(993) eap: Sending EAP Failure (code 4) ID 8 length 4
(993) eap: Failed in EAP select
---

[strongswan client auth success]

(2171) eap: Expiring EAP session with state 0x92fe72999ff07f67
(2171) eap: Finished EAP session with state 0x92fe72999ff07f67
(2171) eap: Previous EAP request found for state 0x92fe72999ff07f67,
released from the list
(2171) eap: Peer sent packet with method EAP TLS (13)
(2171) eap: Calling submodule eap_tls to process data
(2171) eap_tls: Continuing EAP-TLS
(2171) eap_tls: Got final TLS record fragment (272 bytes)
(2171) eap_tls: [eaptls verify] = ok
(2171) eap_tls: Done initial handshake
(2171) eap_tls: <<< recv TLS 1.2  [length 1458]
(2171) eap_tls: TLS - Creating attributes from certificate OIDs
(2171) eap_tls:   TLS-Cert-Serial := "<omitted>"
(2171) eap_tls:   TLS-Cert-Expiration := "<omitted>"
(2171) eap_tls:   TLS-Cert-Subject :=
"/C=ZL/ST=Null/L=Nowhere/O=Nulllabs/OU=Root
CA/CN=server.mgmt/emailAddress=***@services.mgmt"
(2171) eap_tls:   TLS-Cert-Issuer :=
"/C=ZL/ST=Null/L=Nowhere/O=Nulllabs/OU=Root
CA/CN=server.mgmt/emailAddress=***@services.mgmt"
(2171) eap_tls:   TLS-Cert-Common-Name := "server.mgmt"
(2171) eap_tls: TLS - Creating attributes from certificate OIDs
(2171) eap_tls:   TLS-Client-Cert-Serial := "<omitted>"
(2171) eap_tls:   TLS-Client-Cert-Expiration := "<omitted>"
(2171) eap_tls:   TLS-Client-Cert-Subject :=
"/C=ZL/ST=Zero/L=Nowhere/O=Nulllabs/O=Endpoint/OU=Nulllabs-Endpoints/CN=mbp.home/emailAddress=***@services.mgmt"
(2171) eap_tls:   TLS-Client-Cert-Issuer :=
"/C=ZL/ST=Null/L=Nowhere/O=Nulllabs/OU=Root
CA/CN=server.mgmt/emailAddress=***@services.mgmt"
(2171) eap_tls:   TLS-Client-Cert-Common-Name := "mbp.home"
(2171) eap_tls:   TLS-Client-Cert-X509v3-Authority-Key-Identifier +=
"<omitted>"
(2171) eap_tls:   TLS-Client-Cert-X509v3-Basic-Constraints += "CA:FALSE"
(2171) eap_tls:   TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web
Client Authentication, IPSec User, IPSec End System, E-mail Protection,
Code Signing"
(2171) eap_tls:   TLS-Client-Cert-X509v3-Extended-Key-Usage-OID +=
"1.3.6.1.5.5.7.3.2"
(2171) eap_tls:   TLS-Client-Cert-X509v3-Extended-Key-Usage-OID +=
"1.3.6.1.5.5.7.3.7"
(2171) eap_tls:   TLS-Client-Cert-X509v3-Extended-Key-Usage-OID +=
"1.3.6.1.5.5.7.3.5"
(2171) eap_tls:   TLS-Client-Cert-X509v3-Extended-Key-Usage-OID +=
"1.3.6.1.5.5.7.3.4"
(2171) eap_tls:   TLS-Client-Cert-X509v3-Extended-Key-Usage-OID +=
"1.3.6.1.5.5.7.3.3"
(2171) eap_tls: TLS_accept: SSLv3 read client certificate A

What I should be seeing is the following:

[dd-wrt client success]

(1015) eap: Expiring EAP session with state 0xbd2980f9b0278d8b
(1015) eap: Finished EAP session with state 0xbd2980f9b0278d8b
(1015) eap: Previous EAP request found for state 0xbd2980f9b0278d8b,
released from the list
(1015) eap: Peer sent packet with method EAP TLS (13)
(1015) eap: Calling submodule eap_tls to process data
(1015) eap_tls: Continuing EAP-TLS
(1015) eap_tls: Peer ACKed our handshake fragment.  handshake is finished
(1015) eap_tls: [eaptls verify] = success
(1015) eap_tls: [eaptls process] = success
(1015) eap: Sending EAP Success (code 3) ID 14 length 4
(1015) eap: Freeing handler

This was shown by another dd-wrt client on the same setup (High Sierra).

Anyone else seeing similar issues with MacOS Mojave? Am I missing an
extended key usage parameter or am I doing something else wrong?

Thanks in advance.

-
List info/subscribe/unsubscribe? See http://
Adam Bishop
2018-10-17 23:43:56 UTC
Permalink
Post by Stephen
wireless with the same cert. The cert still works for strongswan auth.
A few people have been finding this since upgrading to Mojave.

You'll probably find that you're:

* Running a very old version of FreeRADIUS?
* Running a very old version of OpenSSL?
* Using EAP certificates with sha1 hashes/512 bit RSA/DSA, or other obsolete crypto?

The solution is to upgrade the obsolete component.

Adam Bishop

gpg: E75B 1F92 6407 DFDF 9F1C BF10 C993 2504 6609 D460

jisc.ac.uk

Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.

Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list
Stephen
2018-10-17 23:58:51 UTC
Permalink
Wonderful suggestions, and thanks for the context.

My certs are 8192 bit (sha512WithRSAEncryption) generated with LibreSSL
2.6.5, and my freeradius version is:

radiusd: FreeRADIUS Version 3.0.18 (git #4b32b05a14), for host
x86_64-unknown-linux-gnu, built on Oct  2 2018 at 22:28:12
FreeRADIUS Version 3.0.18 ....

I'll certainly try upgrading freeradius. Any advice on the crypto setup?

Thanks!
Post by Adam Bishop
Post by Stephen
wireless with the same cert. The cert still works for strongswan auth.
A few people have been finding this since upgrading to Mojave.
* Running a very old version of FreeRADIUS?
* Running a very old version of OpenSSL?
* Using EAP certificates with sha1 hashes/512 bit RSA/DSA, or other obsolete crypto?
The solution is to upgrade the obsolete component.
Adam Bishop
gpg: E75B 1F92 6407 DFDF 9F1C BF10 C993 2504 6609 D460
jisc.ac.uk
Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.htm
Stephen
2018-10-18 10:09:06 UTC
Permalink
Solved. I missed a hidden tab in "Apple Configurator 2" setting up my
.mobileconfig profiles (Wifi->Trust). I had been using the wrong trusted
cert for the MacOS 802.1X setting.

Oops. :)

Thanks Adam, and hope this helps someone else!
Post by Stephen
Wonderful suggestions, and thanks for the context.
My certs are 8192 bit (sha512WithRSAEncryption) generated with LibreSSL
radiusd: FreeRADIUS Version 3.0.18 (git #4b32b05a14), for host
x86_64-unknown-linux-gnu, built on Oct  2 2018 at 22:28:12
FreeRADIUS Version 3.0.18 ....
I'll certainly try upgrading freeradius. Any advice on the crypto setup?
Thanks!
Post by Adam Bishop
Post by Stephen
wireless with the same cert. The cert still works for strongswan auth.
A few people have been finding this since upgrading to Mojave.
* Running a very old version of FreeRADIUS?
* Running a very old version of OpenSSL?
* Using EAP certificates with sha1 hashes/512 bit RSA/DSA, or other obsolete crypto?
The solution is to upgrade the obsolete component.
Adam Bishop
gpg: E75B 1F92 6407 DFDF 9F1C BF10 C993 2504 6609 D460
jisc.ac.uk
Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http
Alan Buxey
2018-10-18 15:20:06 UTC
Permalink
Yes, as you are on the mat of 3.0.18 there's no real upgrade and the likely
things that could cause that error would be an old openssl version on the
server or the client using the wrong root CA :)

alan
Post by Stephen
Solved. I missed a hidden tab in "Apple Configurator 2" setting up my
.mobileconfig profiles (Wifi->Trust). I had been using the wrong trusted
cert for the MacOS 802.1X setting.
Oops. :)
Thanks Adam, and hope this helps someone else!
Post by Stephen
Wonderful suggestions, and thanks for the context.
My certs are 8192 bit (sha512WithRSAEncryption) generated with LibreSSL
radiusd: FreeRADIUS Version 3.0.18 (git #4b32b05a14), for host
x86_64-unknown-linux-gnu, built on Oct 2 2018 at 22:28:12
FreeRADIUS Version 3.0.18 ....
I'll certainly try upgrading freeradius. Any advice on the crypto setup?
Thanks!
Post by Adam Bishop
Post by Stephen
wireless with the same cert. The cert still works for strongswan auth.
A few people have been finding this since upgrading to Mojave.
* Running a very old version of FreeRADIUS?
* Running a very old version of OpenSSL?
* Using EAP certificates with sha1 hashes/512 bit RSA/DSA, or other
obsolete crypto?
Post by Stephen
Post by Adam Bishop
The solution is to upgrade the obsolete component.
Adam Bishop
gpg: E75B 1F92 6407 DFDF 9F1C BF10 C993 2504 6609 D460
jisc.ac.uk
Jisc is a registered charity (number 1149740) and a company limited by
guarantee which is registered in England under Company No. 5747339, VAT No.
GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill,
Bristol, BS2 0JA. T 0203 697 5800.
Post by Stephen
Post by Adam Bishop
Jisc Services Limited is a wholly owned Jisc subsidiary and a company
limited by guarantee which is registered in England under company number
2881024, VAT number GB 197 0632 86. The registered office is: One Castle
Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.
Post by Stephen
Post by Adam Bishop
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? S

Loading...