[strongSwan] StrongSwan eap-radius with EAP-TLS, ASN.1 Radius-Username

Stefan Hartmann stefanh at hafenthal.de
Tue Mar 3 15:06:59 CET 2020 

Hello list,

I 'm trying to set up a VPN Remote Access aka Road Warrior with EAP-TLS 
similar as the scenario 
https://www.strongswan.org/testing/testresults/swanctl/rw-eap-tls-radius/.

I want to switch from Cisco ASA to Strongswan.

I use strongswan 5.8.1-1 on Debian Bullseye.

My Freeradius is 3.0.17+dfsg-1.1 on a Debian Buster and is already 
running a few years as KDC/LDAP/RADIUS etc:
     used for WLAN AAA EAP-TLS, EAP-TTLS/PAP, PEAP-MSCHAPv2
     used as AAA server for Cisco ASA ie authn via PAP
     used as KDC ...

The first setup with strongswan functions perfectly with EAP-TTLS with 
inner EAP-GTC against the Kerberos KDC.


The setup for EAP-TLS functions only, if I comment out the 
filter_username in sites-enabled/default, otherwise the passed username 
from strongswan to the AAA server is rejected.

# freeradius -X
...
} # if (&User-Name =~ / /)  = reject
(0)       } # if (&User-Name)  = reject
(0)     } # policy filter_username = reject
(0)   } # authorize = reject
(0) Invalid user (Rejected: User-Name contains whitespace): [0??1?0 
??U????DE1I0G??U? ?@Ingenieurbuero fuer IT/EDV und Netzwerktechnik - 
Stefan Hartmann1?0???U????Users1?0???U??? testuser-ldap] (from client 
BULLSEYE port 5 cli 172.31.201.100[500])


Analyzing with Wireshark shows, that the username is the passed 
ASN.1-Subject-DN from the certificate:
0000        30 81 81 31 0b 30  09 06 03 55 04 06 13 02   ..0..1.0 ...U....
0010  44 45 31 49 30 47 06 03  55 04 0a 0c 40 49 6e 67   DE1I0G.. U... at Ing
0020  65 6e 69 65 75 72 62 75  65 72 6f 20 66 75 65 72   enieurbu ero fuer
0030  20 49 54 2f 45 44 56 20  75 6e 64 20 4e 65 74 7a    IT/EDV  und Netz
...


# strongswan config
# VPN-Gw swanctl.conf
connections {
     RA-SRV4_IKE2-AUTHN-EAP {
     ...
     local {
         auth = pubkey
	certs = BULLSEYE_SAN-DNS-email.cert.pem
         }	
     remote {
	auth = eap-radius	
	id = "C = DE, O = Ingenieurbuero fuer IT/EDV und Netzwerktechnik - 
Stefan Hartmann, OU = Users, CN = *"
         }
     ...


# Roadwarrior
connections {
     RA-KLIENT4_IKE2-AUTHN-EAP {
     ...
     local {
     auth = eap-tls
     certs = testuser-ldap.cert.pem
     aaa_id = "C = DE, O = Ingenieurbuero fuer IT/EDV und 
Netzwerktechnik - Stefan Hartmann, OU = CA, CN = srv-kdc.hafenthal.de"

     # testing
     #id = "C = DE, O = Ingenieurbuero fuer IT/EDV und Netzwerktechnik - 
Stefan Hartmann, OU = Users, CN = testuser-ldap"
     #id = testuser-lokal at hafenthal.de
	
        }


Can I configure strongswan client or server or eap-radius-plugin, that 
it passes either the subject-DN in ASCII or the SubjAltName email?

The scenario 
https://www.strongswan.org/testing/testresults/swanctl/rw-eap-tls-radius/ 
shows also the ASN.1 raw username, therefore I think, this is intended.

A possible workaround:
write a freeradius policy.d/filter_strongswan unlang function which 
transforms the username and then do the filter_username check.


Nb. With a fake certificate you can pass arbitrarily hex code to the 
freeradius daemon, from every user on the inet to the auth-server ie 
heart of your site! This could be/become a nice attack vector - this on 
my view as a pentester!


Thanks for your thoughts and replies!

-- 
stefanh
Ingenieurbuero fuer IT/EDV und Netzwerktechnik - Stefan Hartmann

More information about the Users mailing list