OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • International Forums »
  • German - Deutsch »
  • Radius-Problem seit Update
« previous next »
  • Print
Pages: 1 2 [3]

Author Topic: Radius-Problem seit Update  (Read 6059 times)

mimugmail

  • Hero Member
  • *****
  • Posts: 6766
  • Karma: 494
    • View Profile
Re: Radius-Problem seit Update
« Reply #30 on: November 26, 2022, 08:39:37 am »
Danke dir, bin gespannt :)
Logged
WWW: www.routerperformance.net
Support plans: https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German): https://opnsense.max-it.de/

hgkdd

  • Newbie
  • *
  • Posts: 24
  • Karma: 0
    • View Profile
Re: Radius-Problem seit Update
« Reply #31 on: November 26, 2022, 10:16:51 am »
Quote from: mimugmail on November 25, 2022, 11:51:34 pm
Quote from: hgkdd on November 25, 2022, 07:06:09 pm
Keine Ahnung ob es hilft: ich hatte nach dem Übergang von 22.7.6 auf 22.7.7 Anmeldeprobleme im WLAN mit WPA-EAP und freeradius-server auf der OPNsense. Aufgetreten ist das bei mir nur mit iOS und iPadOS (jeweils aktuelle Version). MacOS devices hatten keine Probleme. Geholfen hat bei mir "Netzwerk ignorieren" und dann neu anmelden. Seeehr merkwürdig....

Mit Update auf 22.7.8 warte ich noch...

Ein Test wäre aber schön, revert zurück geht ja immer :)

OK. Habe gerade auf 22.7.8 geupdated. Reboot wurde nicht durchgeführt (nicht automatisch und auch nicht von mir). Verbindung geht bislang. Auch keine weiteren Auffälligkeiten bisher...
Logged
NRG Systems IPU675, Intel Core i7-7500U 2,7 GHz, 6xIntel i211AT Gigabit LAN, 16 GB RAM, 256 GB SSD

iamhermes

  • Newbie
  • *
  • Posts: 18
  • Karma: 0
    • View Profile
Re: Radius-Problem seit Update
« Reply #32 on: November 27, 2022, 08:31:31 pm »
Heute die nächste Kuriosität.
Wie gesagt das Update auf die 22.7.8 ohne reboot durchgeführt.
Die WPA2-Enterprise Authentifizierung lief bisher ohne Probleme.

Heute einen komplett Reboot durchgeführt da sich irgendwie die Qualität des Routings abnahm (DSL-Modem + APU2)

Nach dem Reboot der APU konnte sich mein Win11 Rechner nicht mehr anmelden und wollte prompt neue Zugangsdaten zum WiFi
Hier half jetzt nur Check TLS Common-Name zu deaktivieren, da ich beim Win11 keine Möglichkeit der Eingabe der Identität habe nebst Angabe des Userzertifikates

Zu den Hintergründen beim Win11 Rechner:
Dieser bietet sobald man sich am WLAN Anmelden will nur noch die Möglichkeit Benutzername+Passwort ODER Zertifikat. Weitere Auswahlmöglichkeiten werden mir hier nicht angeboten. Auch das manuelle hinzufügen meines WPA2-Enterprise WiFi half nicht weiter. Ich habe noch in erinnerung dass man eine Identität angeben konnte zum Zertifikat.

Gegenprobe auf dem Pixel7 Gerät. WiFi gelöscht und neu angelegt. CA Zertifikat bei erster Verbindung vertrauen, Nutzerzertifikat ausgewählt. KEINE Identität angegeben --> kein Connect möglich. Irgendetwas da reingeschrieben --> connect möglich.

Irgendetwas hat sich beim Reboot vom Freeradius aufgeräumt. Aber alles in sich doch irgendwie sehr kurios. Ein Debug Log habe ich gemacht von der fehlgeschlagenen Win11 Anmeldung und liegt vor. Nur ob das so viel bringt weiß ich nicht

Vielleicht kann ja jemand etwas zu diesem DEBUG Mitschnitt sagen

Code: [Select]
radiusd: FreeRADIUS Version 3.2.1, for host amd64-portbld-freebsd13.1, built on Nov 16 2022 at 05:04:28

(7) Received Access-Request Id 149 from 192.168.200.253:48409 to 192.168.200.1:1812 length 243
(7)   User-Name = "MeinLaptop"
(7)   NAS-IP-Address = 192.168.200.253
(7)   NAS-Identifier = "22e829aabbcc"
(7)   Called-Station-Id = "22-E8-29-AA-BB-CC:MeinHochSensiblesWLAN"
(7)   NAS-Port-Type = Wireless-802.11
(7)   Service-Type = Framed-User
(7)   Calling-Station-Id = "B4-B5-B6-AA-BB-CC"
(7)   Connect-Info = "CONNECT 0Mbps 802.11b"
(7)   Acct-Session-Id = "9FD343CD4B259C46"
(7)   Acct-Multi-Session-Id = "1C44C5FF48582DF8"
(7)   WLAN-Pairwise-Cipher = 1027076
(7)   WLAN-Group-Cipher = 1027076
(7)   WLAN-AKM-Suite = 1027073
(7)   Framed-MTU = 1400
(7)   EAP-Message = 0x02d000060d00
(7)   State = 0x39366d1f3ce6604cbeba10a4ec638971
(7)   Message-Authenticator = 0x3a2ad747a8c49b57d6d5e632f80024d1
(7) Restoring &session-state
(7)   &session-state:Framed-MTU = 994
(7)   &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(7)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(7)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(7)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
(7)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest"
(7)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
(7)   &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Certificate"
(7)   &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange"
(7)   &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, CertificateVerify"
(7)   &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished"
(7)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec"
(7)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished"
(7)   &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(7)   &session-state:TLS-Session-Version = "TLS 1.2"
(7) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(7)   authorize {
(7)     policy filter_username {
(7)       if (&User-Name) {
(7)       if (&User-Name)  -> TRUE
(7)       if (&User-Name)  {
(7)         if (&User-Name =~ / /) {
(7)         if (&User-Name =~ / /)  -> FALSE
(7)         if (&User-Name =~ /@[^@]*@/ ) {
(7)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(7)         if (&User-Name =~ /\.\./ ) {
(7)         if (&User-Name =~ /\.\./ )  -> FALSE
(7)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(7)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(7)         if (&User-Name =~ /\.$/)  {
(7)         if (&User-Name =~ /\.$/)   -> FALSE
(7)         if (&User-Name =~ /@\./)  {
(7)         if (&User-Name =~ /@\./)   -> FALSE
(7)       } # if (&User-Name)  = notfound
(7)     } # policy filter_username = notfound
(7)     [preprocess] = ok
(7)     [chap] = noop
(7)     [mschap] = noop
(7)     [digest] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "MeinLaptop", looking up realm NULL
(7) suffix: No such realm "NULL"
(7)     [suffix] = noop
(7) eap: Peer sent EAP Response (code 2) ID 208 length 6
(7) eap: No EAP Start, assuming it's an on-going EAP conversation
(7)     [eap] = updated
(7)     [files] = noop
(7)     [expiration] = noop
(7)     [logintime] = noop
(7)     [pap] = noop
(7)   } # authorize = updated
(7) Found Auth-Type = eap
(7) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(7)   authenticate {
(7) eap: Expiring EAP session with state 0x39366d1f3ce6604c
(7) eap: Finished EAP session with state 0x39366d1f3ce6604c
(7) eap: Previous EAP request found for state 0x39366d1f3ce6604c, released from the list
(7) eap: Peer sent packet with method EAP TLS (13)
(7) eap: Calling submodule eap_tls to process data
(7) eap_tls: (TLS) Peer ACKed our handshake fragment.  handshake is finished
(7) eap_tls: Validating certificate
(7) Virtual server check-eap-tls received request
(7)   User-Name = "MeinLaptop"
(7)   NAS-IP-Address = 192.168.200.253
(7)   NAS-Identifier = "22e829aabbcc"
(7)   Called-Station-Id = "22-E8-29-AA-BB-CC:MeinHochSensiblesWLAN"
(7)   NAS-Port-Type = Wireless-802.11
(7)   Service-Type = Framed-User
(7)   Calling-Station-Id = "B4-B5-B6-AA-BB-CC"
(7)   Connect-Info = "CONNECT 0Mbps 802.11b"
(7)   Acct-Session-Id = "9FD343CD4B259C46"
(7)   Acct-Multi-Session-Id = "1C44C5FF48582DF8"
(7)   WLAN-Pairwise-Cipher = 1027076
(7)   WLAN-Group-Cipher = 1027076
(7)   WLAN-AKM-Suite = 1027073
(7)   Framed-MTU = 1400
(7)   EAP-Message = 0x02d000060d00
(7)   State = 0x39366d1f3ce6604cbeba10a4ec638971
(7)   Message-Authenticator = 0x3a2ad747a8c49b57d6d5e632f80024d1
(7)   Event-Timestamp = "Nov 27 2022 19:46:24 CET"
(7)   EAP-Type = TLS
(7)   TLS-Client-Cert-Serial := "00"
(7)   TLS-Client-Cert-Expiration := "270523225140Z"
(7)   TLS-Client-Cert-Valid-Since := "170525225140Z"
(7)   TLS-Client-Cert-Subject := "/C=DE/ST=Germany/L=City in Germany/O=HomeNetwork/emailAddress=nobody@not.me/CN=bahnhof"
(7)   TLS-Client-Cert-Issuer := "/C=DE/ST=Germany/L=City in Germany/O=HomeNetwork/emailAddress=nobody@not.me/CN=bahnhof"
(7)   TLS-Client-Cert-Common-Name := "bahnhof"
(7)   TLS-Client-Cert-X509v3-Subject-Key-Identifier += "B0:6D:DF:7C:FC:F2:37:78:5E:34:95:04:5F:69:97:3A:02:05:F8:07"
(7)   TLS-Client-Cert-X509v3-Authority-Key-Identifier += "keyid:B0:6D:DF:7C:FC:F2:37:78:5E:34:95:04:5F:69:97:3A:02:05:F8:07\n"
(7)   TLS-Client-Cert-X509v3-Basic-Constraints += "CA:TRUE"
(7)   TLS-Client-Cert-Serial := "0e"
(7)   TLS-Client-Cert-Expiration := "250409121646Z"
(7)   TLS-Client-Cert-Valid-Since := "220410121646Z"
(7)   TLS-Client-Cert-Subject := "/C=DE/ST=Germany/L=City in Germany/O=HomeNetwork/emailAddress=nobody@not.me/CN=MeinLaptop"
(7)   TLS-Client-Cert-Issuer := "/C=DE/ST=Germany/L=City in Germany/O=HomeNetwork/emailAddress=nobody@not.me/CN=bahnhof"
(7)   TLS-Client-Cert-Common-Name := "MeinLaptop"
(7)   TLS-Client-Cert-Subject-Alt-Name-Dns := "publicDNS.spdns.de"
(7)   TLS-Client-Cert-X509v3-Basic-Constraints += "CA:FALSE"
(7)   TLS-Client-Cert-X509v3-Subject-Key-Identifier += "24:3A:6B:31:46:9A:6A:9B:48:D2:D3:75:9F:88:74:65:C3:ED:4A:D1"
(7)   TLS-Client-Cert-X509v3-Authority-Key-Identifier += "keyid:B0:6D:DF:7C:FC:F2:37:78:5E:34:95:04:5F:69:97:3A:02:05:F8:07\nDirName:/C=DE/ST=Germany/L=City in Germany/O=HomeNetwork/emailAddress=nobody@not.me/CN=bahnhof\nserial:00\n"
(7)   TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web Client Authentication"
(7)   TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "1.3.6.1.5.5.7.3.2"
(7) WARNING: Outer and inner identities are the same.  User privacy is compromised.
(7) server check-eap-tls {
(7)   session-state: No cached attributes
(7)   # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/check-eap-tls
(7)     authorize {
(7)       update config {
(7)         &Auth-Type := Accept
(7)       } # update config = noop
(7)       if (&User-Name == &TLS-Client-Cert-Common-Name || &User-Name == "host/%{TLS-Client-Cert-Common-Name}") {
(7)       EXPAND host/%{TLS-Client-Cert-Common-Name}
(7)          --> host/bahnhof
(7)       if (&User-Name == &TLS-Client-Cert-Common-Name || &User-Name == "host/%{TLS-Client-Cert-Common-Name}")  -> FALSE
(7)       else {
(7)         update config {
(7)           &Auth-Type := Reject
(7)         } # update config = noop
(7)       } # else = noop
(7)       [files] = noop
(7)       [expiration] = noop
(7)       [logintime] = noop
(7)     } # authorize = noop
(7)   Found Auth-Type = Reject
(7)   Auth-Type = Reject, rejecting user
(7)   Failed to authenticate the user
(7)   Using Post-Auth-Type Reject
(7)   Post-Auth-Type sub-section not found.  Ignoring.
(7)   Login incorrect: [MeinLaptop/<via Auth-Type = Reject>] (from client WiFi-AP port 0 cli B4-B5-B6-AA-BB-CC via TLS tunnel)
(7) } # server check-eap-tls
(7) Virtual server sending reply
(7) eap_tls: Certificate rejected by the virtual server
(7) eap: ERROR: Failed continuing EAP TLS (13) session.  EAP sub-module failed
(7) eap: Sending EAP Failure (code 4) ID 208 length 4
(7) eap: Failed in EAP select
(7)     [eap] = invalid
(7)   } # authenticate = invalid
(7) Failed to authenticate the user
(7) Using Post-Auth-Type Reject
(7) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(7)   Post-Auth-Type REJECT {
(7) attr_filter.access_reject: EXPAND %{User-Name}
(7) attr_filter.access_reject:    --> MeinLaptop
(7) attr_filter.access_reject: Matched entry DEFAULT at line 11
(7)     [attr_filter.access_reject] = updated
(7)     [eap] = noop
(7)     policy remove_reply_message_if_eap {
(7)       if (&reply:EAP-Message && &reply:Reply-Message) {
(7)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(7)       else {
(7)         [noop] = noop
(7)       } # else = noop
(7)     } # policy remove_reply_message_if_eap = noop
(7)   } # Post-Auth-Type REJECT = updated
(7) Login incorrect (eap: Failed continuing EAP TLS (13) session.  EAP sub-module failed): [MeinLaptop/<via Auth-Type = eap>] (from client WiFi-AP port 0 cli B4-B5-B6-AA-BB-CC)
(7) Delaying response for 1.000000 seconds
(7) Sending delayed response
(7) Sent Access-Reject Id 149 from 192.168.200.1:1812 to 192.168.200.253:48409 length 44
(7)   EAP-Message = 0x04d00004
(7)   Message-Authenticator = 0x00000000000000000000000000000000
(7) Cleaning up request packet ID 149 with timestamp +23 due to cleanup_delay was reached
Logged

mimugmail

  • Hero Member
  • *****
  • Posts: 6766
  • Karma: 494
    • View Profile
Re: Radius-Problem seit Update
« Reply #33 on: November 27, 2022, 10:24:22 pm »
Kannst du einen revert machen und reboot?
Logged
WWW: www.routerperformance.net
Support plans: https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German): https://opnsense.max-it.de/

mimugmail

  • Hero Member
  • *****
  • Posts: 6766
  • Karma: 494
    • View Profile
Re: Radius-Problem seit Update
« Reply #34 on: December 07, 2022, 04:32:34 pm »
Quote from: iamhermes on November 27, 2022, 08:31:31 pm
Heute die nächste Kuriosität.
Wie gesagt das Update auf die 22.7.8 ohne reboot durchgeführt.
Die WPA2-Enterprise Authentifizierung lief bisher ohne Probleme.

Heute einen komplett Reboot durchgeführt da sich irgendwie die Qualität des Routings abnahm (DSL-Modem + APU2)

Nach dem Reboot der APU konnte sich mein Win11 Rechner nicht mehr anmelden und wollte prompt neue Zugangsdaten zum WiFi
Hier half jetzt nur Check TLS Common-Name zu deaktivieren, da ich beim Win11 keine Möglichkeit der Eingabe der Identität habe nebst Angabe des Userzertifikates

Zu den Hintergründen beim Win11 Rechner:
Dieser bietet sobald man sich am WLAN Anmelden will nur noch die Möglichkeit Benutzername+Passwort ODER Zertifikat. Weitere Auswahlmöglichkeiten werden mir hier nicht angeboten. Auch das manuelle hinzufügen meines WPA2-Enterprise WiFi half nicht weiter. Ich habe noch in erinnerung dass man eine Identität angeben konnte zum Zertifikat.

Gegenprobe auf dem Pixel7 Gerät. WiFi gelöscht und neu angelegt. CA Zertifikat bei erster Verbindung vertrauen, Nutzerzertifikat ausgewählt. KEINE Identität angegeben --> kein Connect möglich. Irgendetwas da reingeschrieben --> connect möglich.

Irgendetwas hat sich beim Reboot vom Freeradius aufgeräumt. Aber alles in sich doch irgendwie sehr kurios. Ein Debug Log habe ich gemacht von der fehlgeschlagenen Win11 Anmeldung und liegt vor. Nur ob das so viel bringt weiß ich nicht

Vielleicht kann ja jemand etwas zu diesem DEBUG Mitschnitt sagen

Code: [Select]
radiusd: FreeRADIUS Version 3.2.1, for host amd64-portbld-freebsd13.1, built on Nov 16 2022 at 05:04:28

(7) Received Access-Request Id 149 from 192.168.200.253:48409 to 192.168.200.1:1812 length 243
(7)   User-Name = "MeinLaptop"
(7)   NAS-IP-Address = 192.168.200.253
(7)   NAS-Identifier = "22e829aabbcc"
(7)   Called-Station-Id = "22-E8-29-AA-BB-CC:MeinHochSensiblesWLAN"
(7)   NAS-Port-Type = Wireless-802.11
(7)   Service-Type = Framed-User
(7)   Calling-Station-Id = "B4-B5-B6-AA-BB-CC"
(7)   Connect-Info = "CONNECT 0Mbps 802.11b"
(7)   Acct-Session-Id = "9FD343CD4B259C46"
(7)   Acct-Multi-Session-Id = "1C44C5FF48582DF8"
(7)   WLAN-Pairwise-Cipher = 1027076
(7)   WLAN-Group-Cipher = 1027076
(7)   WLAN-AKM-Suite = 1027073
(7)   Framed-MTU = 1400
(7)   EAP-Message = 0x02d000060d00
(7)   State = 0x39366d1f3ce6604cbeba10a4ec638971
(7)   Message-Authenticator = 0x3a2ad747a8c49b57d6d5e632f80024d1
(7) Restoring &session-state
(7)   &session-state:Framed-MTU = 994
(7)   &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(7)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(7)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(7)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
(7)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest"
(7)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
(7)   &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Certificate"
(7)   &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange"
(7)   &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, CertificateVerify"
(7)   &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished"
(7)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec"
(7)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished"
(7)   &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(7)   &session-state:TLS-Session-Version = "TLS 1.2"
(7) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(7)   authorize {
(7)     policy filter_username {
(7)       if (&User-Name) {
(7)       if (&User-Name)  -> TRUE
(7)       if (&User-Name)  {
(7)         if (&User-Name =~ / /) {
(7)         if (&User-Name =~ / /)  -> FALSE
(7)         if (&User-Name =~ /@[^@]*@/ ) {
(7)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(7)         if (&User-Name =~ /\.\./ ) {
(7)         if (&User-Name =~ /\.\./ )  -> FALSE
(7)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(7)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(7)         if (&User-Name =~ /\.$/)  {
(7)         if (&User-Name =~ /\.$/)   -> FALSE
(7)         if (&User-Name =~ /@\./)  {
(7)         if (&User-Name =~ /@\./)   -> FALSE
(7)       } # if (&User-Name)  = notfound
(7)     } # policy filter_username = notfound
(7)     [preprocess] = ok
(7)     [chap] = noop
(7)     [mschap] = noop
(7)     [digest] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: No '@' in User-Name = "MeinLaptop", looking up realm NULL
(7) suffix: No such realm "NULL"
(7)     [suffix] = noop
(7) eap: Peer sent EAP Response (code 2) ID 208 length 6
(7) eap: No EAP Start, assuming it's an on-going EAP conversation
(7)     [eap] = updated
(7)     [files] = noop
(7)     [expiration] = noop
(7)     [logintime] = noop
(7)     [pap] = noop
(7)   } # authorize = updated
(7) Found Auth-Type = eap
(7) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(7)   authenticate {
(7) eap: Expiring EAP session with state 0x39366d1f3ce6604c
(7) eap: Finished EAP session with state 0x39366d1f3ce6604c
(7) eap: Previous EAP request found for state 0x39366d1f3ce6604c, released from the list
(7) eap: Peer sent packet with method EAP TLS (13)
(7) eap: Calling submodule eap_tls to process data
(7) eap_tls: (TLS) Peer ACKed our handshake fragment.  handshake is finished
(7) eap_tls: Validating certificate
(7) Virtual server check-eap-tls received request
(7)   User-Name = "MeinLaptop"
(7)   NAS-IP-Address = 192.168.200.253
(7)   NAS-Identifier = "22e829aabbcc"
(7)   Called-Station-Id = "22-E8-29-AA-BB-CC:MeinHochSensiblesWLAN"
(7)   NAS-Port-Type = Wireless-802.11
(7)   Service-Type = Framed-User
(7)   Calling-Station-Id = "B4-B5-B6-AA-BB-CC"
(7)   Connect-Info = "CONNECT 0Mbps 802.11b"
(7)   Acct-Session-Id = "9FD343CD4B259C46"
(7)   Acct-Multi-Session-Id = "1C44C5FF48582DF8"
(7)   WLAN-Pairwise-Cipher = 1027076
(7)   WLAN-Group-Cipher = 1027076
(7)   WLAN-AKM-Suite = 1027073
(7)   Framed-MTU = 1400
(7)   EAP-Message = 0x02d000060d00
(7)   State = 0x39366d1f3ce6604cbeba10a4ec638971
(7)   Message-Authenticator = 0x3a2ad747a8c49b57d6d5e632f80024d1
(7)   Event-Timestamp = "Nov 27 2022 19:46:24 CET"
(7)   EAP-Type = TLS
(7)   TLS-Client-Cert-Serial := "00"
(7)   TLS-Client-Cert-Expiration := "270523225140Z"
(7)   TLS-Client-Cert-Valid-Since := "170525225140Z"
(7)   TLS-Client-Cert-Subject := "/C=DE/ST=Germany/L=City in Germany/O=HomeNetwork/emailAddress=nobody@not.me/CN=bahnhof"
(7)   TLS-Client-Cert-Issuer := "/C=DE/ST=Germany/L=City in Germany/O=HomeNetwork/emailAddress=nobody@not.me/CN=bahnhof"
(7)   TLS-Client-Cert-Common-Name := "bahnhof"
(7)   TLS-Client-Cert-X509v3-Subject-Key-Identifier += "B0:6D:DF:7C:FC:F2:37:78:5E:34:95:04:5F:69:97:3A:02:05:F8:07"
(7)   TLS-Client-Cert-X509v3-Authority-Key-Identifier += "keyid:B0:6D:DF:7C:FC:F2:37:78:5E:34:95:04:5F:69:97:3A:02:05:F8:07\n"
(7)   TLS-Client-Cert-X509v3-Basic-Constraints += "CA:TRUE"
(7)   TLS-Client-Cert-Serial := "0e"
(7)   TLS-Client-Cert-Expiration := "250409121646Z"
(7)   TLS-Client-Cert-Valid-Since := "220410121646Z"
(7)   TLS-Client-Cert-Subject := "/C=DE/ST=Germany/L=City in Germany/O=HomeNetwork/emailAddress=nobody@not.me/CN=MeinLaptop"
(7)   TLS-Client-Cert-Issuer := "/C=DE/ST=Germany/L=City in Germany/O=HomeNetwork/emailAddress=nobody@not.me/CN=bahnhof"
(7)   TLS-Client-Cert-Common-Name := "MeinLaptop"
(7)   TLS-Client-Cert-Subject-Alt-Name-Dns := "publicDNS.spdns.de"
(7)   TLS-Client-Cert-X509v3-Basic-Constraints += "CA:FALSE"
(7)   TLS-Client-Cert-X509v3-Subject-Key-Identifier += "24:3A:6B:31:46:9A:6A:9B:48:D2:D3:75:9F:88:74:65:C3:ED:4A:D1"
(7)   TLS-Client-Cert-X509v3-Authority-Key-Identifier += "keyid:B0:6D:DF:7C:FC:F2:37:78:5E:34:95:04:5F:69:97:3A:02:05:F8:07\nDirName:/C=DE/ST=Germany/L=City in Germany/O=HomeNetwork/emailAddress=nobody@not.me/CN=bahnhof\nserial:00\n"
(7)   TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web Client Authentication"
(7)   TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "1.3.6.1.5.5.7.3.2"
(7) WARNING: Outer and inner identities are the same.  User privacy is compromised.
(7) server check-eap-tls {
(7)   session-state: No cached attributes
(7)   # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/check-eap-tls
(7)     authorize {
(7)       update config {
(7)         &Auth-Type := Accept
(7)       } # update config = noop
(7)       if (&User-Name == &TLS-Client-Cert-Common-Name || &User-Name == "host/%{TLS-Client-Cert-Common-Name}") {
(7)       EXPAND host/%{TLS-Client-Cert-Common-Name}
(7)          --> host/bahnhof
(7)       if (&User-Name == &TLS-Client-Cert-Common-Name || &User-Name == "host/%{TLS-Client-Cert-Common-Name}")  -> FALSE
(7)       else {
(7)         update config {
(7)           &Auth-Type := Reject
(7)         } # update config = noop
(7)       } # else = noop
(7)       [files] = noop
(7)       [expiration] = noop
(7)       [logintime] = noop
(7)     } # authorize = noop
(7)   Found Auth-Type = Reject
(7)   Auth-Type = Reject, rejecting user
(7)   Failed to authenticate the user
(7)   Using Post-Auth-Type Reject
(7)   Post-Auth-Type sub-section not found.  Ignoring.
(7)   Login incorrect: [MeinLaptop/<via Auth-Type = Reject>] (from client WiFi-AP port 0 cli B4-B5-B6-AA-BB-CC via TLS tunnel)
(7) } # server check-eap-tls
(7) Virtual server sending reply
(7) eap_tls: Certificate rejected by the virtual server
(7) eap: ERROR: Failed continuing EAP TLS (13) session.  EAP sub-module failed
(7) eap: Sending EAP Failure (code 4) ID 208 length 4
(7) eap: Failed in EAP select
(7)     [eap] = invalid
(7)   } # authenticate = invalid
(7) Failed to authenticate the user
(7) Using Post-Auth-Type Reject
(7) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(7)   Post-Auth-Type REJECT {
(7) attr_filter.access_reject: EXPAND %{User-Name}
(7) attr_filter.access_reject:    --> MeinLaptop
(7) attr_filter.access_reject: Matched entry DEFAULT at line 11
(7)     [attr_filter.access_reject] = updated
(7)     [eap] = noop
(7)     policy remove_reply_message_if_eap {
(7)       if (&reply:EAP-Message && &reply:Reply-Message) {
(7)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(7)       else {
(7)         [noop] = noop
(7)       } # else = noop
(7)     } # policy remove_reply_message_if_eap = noop
(7)   } # Post-Auth-Type REJECT = updated
(7) Login incorrect (eap: Failed continuing EAP TLS (13) session.  EAP sub-module failed): [MeinLaptop/<via Auth-Type = eap>] (from client WiFi-AP port 0 cli B4-B5-B6-AA-BB-CC)
(7) Delaying response for 1.000000 seconds
(7) Sending delayed response
(7) Sent Access-Reject Id 149 from 192.168.200.1:1812 to 192.168.200.253:48409 length 44
(7)   EAP-Message = 0x04d00004
(7)   Message-Authenticator = 0x00000000000000000000000000000000
(7) Cleaning up request packet ID 149 with timestamp +23 due to cleanup_delay was reached

Bist du motiviert was mit mir zu testen um das zu fixen?
Logged
WWW: www.routerperformance.net
Support plans: https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German): https://opnsense.max-it.de/

EdwinKM

  • Full Member
  • ***
  • Posts: 155
  • Karma: 5
    • View Profile
Re: Radius-Problem seit Update
« Reply #35 on: December 07, 2022, 06:49:02 pm »
Sorry, everything is German here. But it seems related: https://github.com/opnsense/core/issues/6167#issuecomment-1341331883

Am i correct that this is a freeradius upstream bug? Maybe opnsense can better revert the version until upsteam is fixed?
« Last Edit: December 07, 2022, 06:54:58 pm by EdwinKM »
Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 17660
  • Karma: 1611
    • View Profile
Re: Radius-Problem seit Update
« Reply #36 on: December 07, 2022, 07:43:04 pm »
(Looks like it. And a revert is out of the question if not carried out by FreeBSD ports, which is highly unlikely.)
Logged
  • Print
Pages: 1 2 [3]
« previous next »
  • OPNsense Forum »
  • International Forums »
  • German - Deutsch »
  • Radius-Problem seit Update
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2