[strongSwan] StrongSwan eap-radius with EAP-TLS, ASN.1 Radius-Username

Stefan Hartmann sh at hafenthal.de
Tue Mar 3 21:01:40 CET 2020 

Hi,

thank you for yout thoughts.

Yes this is a workaround, I created policy.d/strongswan with 
filter_username_custom in it.

But it would be nice to have a readable and sanitized subject DN as 
User-Name attribute.

And what about proxying the request to another home-server with ASN.1 
raw hex User-Name.

Eventuelly I will test EAP-TLS with cisco IOS or ASA and look how they 
mangle the username.


-- 
stefanh
Ingenieurbuero fuer IT/EDV und Netzwerktechnik - Stefan Hartmann


On 03.03.20 15:40, Michael Schwartzkopff wrote:
> On 03.03.20 15:06, Stefan Hartmann wrote:
>> Hello list,
>>
>> I 'm trying to set up a VPN Remote Access aka Road Warrior with
>> EAP-TLS similar as the scenario
>> https://www.strongswan.org/testing/testresults/swanctl/rw-eap-tls-radius/.
>>
>> I want to switch from Cisco ASA to Strongswan.
>>
>> I use strongswan 5.8.1-1 on Debian Bullseye.
>>
>> My Freeradius is 3.0.17+dfsg-1.1 on a Debian Buster and is already
>> running a few years as KDC/LDAP/RADIUS etc:
>>      used for WLAN AAA EAP-TLS, EAP-TTLS/PAP, PEAP-MSCHAPv2
>>      used as AAA server for Cisco ASA ie authn via PAP
>>      used as KDC ...
>>
>> The first setup with strongswan functions perfectly with EAP-TTLS with
>> inner EAP-GTC against the Kerberos KDC.
>>
>>
>> The setup for EAP-TLS functions only, if I comment out the
>> filter_username in sites-enabled/default, otherwise the passed
>> username from strongswan to the AAA server is rejected.
>>
>> # freeradius -X
>> ...
>> } # if (&User-Name =~ / /)  = reject
>> (0)       } # if (&User-Name)  = reject
>> (0)     } # policy filter_username = reject
>> (0)   } # authorize = reject
>> (0) Invalid user (Rejected: User-Name contains whitespace): [0??1?0
>> ??U????DE1I0G??U? ?@Ingenieurbuero fuer IT/EDV und Netzwerktechnik -
>> Stefan Hartmann1?0???U????Users1?0???U??? testuser-ldap] (from client
>> BULLSEYE port 5 cli 172.31.201.100[500])
>>
>>
>> Analyzing with Wireshark shows, that the username is the passed
>> ASN.1-Subject-DN from the certificate:
>> 0000        30 81 81 31 0b 30  09 06 03 55 04 06 13 02   ..0..1.0
>> ...U....
>> 0010  44 45 31 49 30 47 06 03  55 04 0a 0c 40 49 6e 67   DE1I0G..
>> U... at Ing
>> 0020  65 6e 69 65 75 72 62 75  65 72 6f 20 66 75 65 72   enieurbu ero
>> fuer
>> 0030  20 49 54 2f 45 44 56 20  75 6e 64 20 4e 65 74 7a    IT/EDV  und
>> Netz
>> ...
>>
>>
>> # strongswan config
>> # VPN-Gw swanctl.conf
>> connections {
>>      RA-SRV4_IKE2-AUTHN-EAP {
>>      ...
>>      local {
>>          auth = pubkey
>>      certs = BULLSEYE_SAN-DNS-email.cert.pem
>>          }
>>      remote {
>>      auth = eap-radius
>>      id = "C = DE, O = Ingenieurbuero fuer IT/EDV und Netzwerktechnik -
>> Stefan Hartmann, OU = Users, CN = *"
>>          }
>>      ...
>>
>>
>> # Roadwarrior
>> connections {
>>      RA-KLIENT4_IKE2-AUTHN-EAP {
>>      ...
>>      local {
>>      auth = eap-tls
>>      certs = testuser-ldap.cert.pem
>>      aaa_id = "C = DE, O = Ingenieurbuero fuer IT/EDV und
>> Netzwerktechnik - Stefan Hartmann, OU = CA, CN = srv-kdc.hafenthal.de"
>>
>>      # testing
>>      #id = "C = DE, O = Ingenieurbuero fuer IT/EDV und Netzwerktechnik
>> - Stefan Hartmann, OU = Users, CN = testuser-ldap"
>>      #id = testuser-lokal at hafenthal.de
>>      
>>         }
>>
>>
>> Can I configure strongswan client or server or eap-radius-plugin, that
>> it passes either the subject-DN in ASCII or the SubjAltName email?
>>
>> The scenario
>> https://www.strongswan.org/testing/testresults/swanctl/rw-eap-tls-radius/
>> shows also the ASN.1 raw username, therefore I think, this is intended.
>>
>> A possible workaround:
>> write a freeradius policy.d/filter_strongswan unlang function which
>> transforms the username and then do the filter_username check.
>>
>>
>> Nb. With a fake certificate you can pass arbitrarily hex code to the
>> freeradius daemon, from every user on the inet to the auth-server ie
>> heart of your site! This could be/become a nice attack vector - this
>> on my view as a pentester!
>>
>>
>> Thanks for your thoughts and replies!
>>
> 
> Hi,
> 
> 
> RADIUS does not expect a whitespace in the username. strongswan passes
> the ID on the the radius server. In your case is has whitespace. The
> policy filter in freeradius kicks in and rejects the request.
> 
> I'd improve the policy filter in freeradius to accept whitespace IF the
> NAS is your strongswan. Please see the debug output of freeradius for
> the NAS attribute. So you can update your filter like:
> 
> if (&NAS-Identifier == "strongswan") {
> 
>    other policy tests except the whitespace"
> 
> } else {
> 
>   all original filter
> 
> }
> 
> 
> Please see the file /etc/freeradius/3.0/policy.d/filter for the
> preprocess username filter.
> 
> 
> Mit freundlichen Grüßen,
>

More information about the Users mailing list