[strongSwan] StrongSwan eap-radius with EAP-TLS, ASN.1 Radius-Username
Stefan Hartmann
stefanh at hafenthal.de
Tue Mar 3 15:06:59 CET 2020
Hello list,
I 'm trying to set up a VPN Remote Access aka Road Warrior with EAP-TLS
similar as the scenario
https://www.strongswan.org/testing/testresults/swanctl/rw-eap-tls-radius/.
I want to switch from Cisco ASA to Strongswan.
I use strongswan 5.8.1-1 on Debian Bullseye.
My Freeradius is 3.0.17+dfsg-1.1 on a Debian Buster and is already
running a few years as KDC/LDAP/RADIUS etc:
used for WLAN AAA EAP-TLS, EAP-TTLS/PAP, PEAP-MSCHAPv2
used as AAA server for Cisco ASA ie authn via PAP
used as KDC ...
The first setup with strongswan functions perfectly with EAP-TTLS with
inner EAP-GTC against the Kerberos KDC.
The setup for EAP-TLS functions only, if I comment out the
filter_username in sites-enabled/default, otherwise the passed username
from strongswan to the AAA server is rejected.
# freeradius -X
...
} # if (&User-Name =~ / /) = reject
(0) } # if (&User-Name) = reject
(0) } # policy filter_username = reject
(0) } # authorize = reject
(0) Invalid user (Rejected: User-Name contains whitespace): [0??1?0
??U????DE1I0G??U? ?@Ingenieurbuero fuer IT/EDV und Netzwerktechnik -
Stefan Hartmann1?0???U????Users1?0???U??? testuser-ldap] (from client
BULLSEYE port 5 cli 172.31.201.100[500])
Analyzing with Wireshark shows, that the username is the passed
ASN.1-Subject-DN from the certificate:
0000 30 81 81 31 0b 30 09 06 03 55 04 06 13 02 ..0..1.0 ...U....
0010 44 45 31 49 30 47 06 03 55 04 0a 0c 40 49 6e 67 DE1I0G.. U... at Ing
0020 65 6e 69 65 75 72 62 75 65 72 6f 20 66 75 65 72 enieurbu ero fuer
0030 20 49 54 2f 45 44 56 20 75 6e 64 20 4e 65 74 7a IT/EDV und Netz
...
# strongswan config
# VPN-Gw swanctl.conf
connections {
RA-SRV4_IKE2-AUTHN-EAP {
...
local {
auth = pubkey
certs = BULLSEYE_SAN-DNS-email.cert.pem
}
remote {
auth = eap-radius
id = "C = DE, O = Ingenieurbuero fuer IT/EDV und Netzwerktechnik -
Stefan Hartmann, OU = Users, CN = *"
}
...
# Roadwarrior
connections {
RA-KLIENT4_IKE2-AUTHN-EAP {
...
local {
auth = eap-tls
certs = testuser-ldap.cert.pem
aaa_id = "C = DE, O = Ingenieurbuero fuer IT/EDV und
Netzwerktechnik - Stefan Hartmann, OU = CA, CN = srv-kdc.hafenthal.de"
# testing
#id = "C = DE, O = Ingenieurbuero fuer IT/EDV und Netzwerktechnik -
Stefan Hartmann, OU = Users, CN = testuser-ldap"
#id = testuser-lokal at hafenthal.de
}
Can I configure strongswan client or server or eap-radius-plugin, that
it passes either the subject-DN in ASCII or the SubjAltName email?
The scenario
https://www.strongswan.org/testing/testresults/swanctl/rw-eap-tls-radius/
shows also the ASN.1 raw username, therefore I think, this is intended.
A possible workaround:
write a freeradius policy.d/filter_strongswan unlang function which
transforms the username and then do the filter_username check.
Nb. With a fake certificate you can pass arbitrarily hex code to the
freeradius daemon, from every user on the inet to the auth-server ie
heart of your site! This could be/become a nice attack vector - this on
my view as a pentester!
Thanks for your thoughts and replies!
--
stefanh
Ingenieurbuero fuer IT/EDV und Netzwerktechnik - Stefan Hartmann
More information about the Users
mailing list