Bug 35516 - Client authentication not possible
Client authentication not possible
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Radius
UCS 3.2
Other Linux
: P5 normal (vote)
: UCS 3.2-3-errata
Assigned To: Arvid Requate
Drees Dormann
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-07-30 10:17 CEST by Tim Petersen
Modified: 2014-11-07 15:38 CET (History)
2 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments
Patch for networkaccess.py (931 bytes, patch)
2014-07-31 15:36 CEST, Tim Petersen
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Tim Petersen univentionstaff 2014-07-30 10:17:44 CEST
2014072821000325: Pre domain logon client authentication doesn't work.
It does not work for win7 and win8 (I didn't test win xp).

The log files show this for win8:

Tue Jul 29 15:48:56 2014 : Auth: Login incorrect: [host/win8.radius.tim/<via Auth-Type = EAP>] (from client FOO port 0 cli 00-22-FB-54-33-BC)
Tue Jul 29 15:49:40 2014 : Auth: Login incorrect (mschap: External script says Logon failure (0xc000006d)): [host/win8.radius.tim/<via Auth-Type = EAP>] (from client FOO port 0 via TLS t
unnel)

root@master:~# univention-radius-check-access --username=win8$ --station-id=00-22-FB-54-33-BC | grep ALLOWED
Thus access for user is ALLOWED.
Thus access for station is ALLOWED.
Thus access is ALLOWED.



and this for win7:

Wed Jul 30 10:09:36 2014 : Error: TLS Alert read:fatal:unknown CA
Wed Jul 30 10:09:36 2014 : Error:     TLS_accept: failed in SSLv3 read client certificate A
Wed Jul 30 10:09:36 2014 : Error: rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
Wed Jul 30 10:09:36 2014 : Error: SSL: SSL_read failed inside of TLS (-1), TLS session fails.
Wed Jul 30 10:09:36 2014 : Auth: Login incorrect (TLS Alert read:fatal:unknown CA): [host/WIN7.radius.tim/<via Auth-Type = EAP>] (from client FOO port 0 cli 00-21-6A-74-12-82)

root@master:~# univention-radius-check-access --username=win7$ --station-id=00-21-6A-74-12-82 | grep ALLOWED
Thus access for user is ALLOWED.
Thus access for station is ALLOWED.
Thus access is ALLOWED.



root@master:~# ntlm_auth --request-nt-key --domain=radius --username=win8$ --password=univention
NT_STATUS_OK: Success (0x0)
root@master:~# ntlm_auth --request-nt-key --domain=radius --username=win7$ --password=univention
NT_STATUS_OK: Success (0x0)

I set the machine passwords to "univention" after my basic tests, to be able to test ntlm by hand, to be sure.
Comment 1 Tim Petersen univentionstaff 2014-07-30 10:18:29 CEST
My test environment, master, wlan ap, two laptops (win7 and win8) still exists and is usable for further analysis.
Comment 2 Janek Walkenhorst univentionstaff 2014-07-30 10:58:16 CEST
When using an AD (Samba4) domain client authentication uses username field to transfer the hostname in the following format
 host/client.example.com
instead of the "old" format
 client$
. Thus the computer can not be found by the current code.
Comment 3 Tim Petersen univentionstaff 2014-07-31 15:36:55 CEST
Created attachment 6032 [details]
Patch for networkaccess.py

Works in a testing environment with attatched Patch
Comment 4 Arvid Requate univentionstaff 2014-10-29 14:22:46 CET
Package is rebuilt with the patch in errata3.2-3 and ucs_4.0-0.
Advisory: 2014-10-29-univention-radius.yaml
Comment 5 Drees Dormann univentionstaff 2014-11-04 16:51:19 CET
authentication succesful with windows client on ucs 3.2-3 and 4.0-0
server with radius installed
Comment 6 Janek Walkenhorst univentionstaff 2014-11-07 15:38:49 CET
http://errata.univention.de/ucs/3.2/239.html