An open discussion list for topics related to the geteduroam service

[Darren Boss <Darren.Boss AT alliancecan.ca>]

I figured out the header issue yesterday but solved it differently with a
        RewriteEngine On
        RewriteCond %{HTTP:Authorization} .
        RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
in the virtual host configuration.

The Andorid geteduroam app is able to install the wireless profile now but 
I'm right back to seeing this in the freeradius logs when the client attempts 
to authenticate to my testing eduroam ssid:

(27) eap: Expiring EAP session with state 0xbac2bb39b8c6b6be
(27) eap: Finished EAP session with state 0xbac2bb39b8c6b6be
(27) eap: Previous EAP request found for state 0xbac2bb39b8c6b6be, released 
from the list
(27) eap: Peer sent packet with method EAP TLS (13)
(27) eap: Calling submodule eap_tls to process data
(27) eap_tls: (TLS) EAP Done initial handshake
(27) eap_tls: (TLS) recv TLS 1.2 Alert, fatal internal_error
(27) eap_tls: (TLS) The client is informing us that there is a failure inside 
the TLS protocol exchange.
(27) eap_tls: ERROR: (TLS) Alert read:fatal:internal error
(27) eap_tls: (TLS) Server : Need to read more data: error
(27) eap_tls: ERROR: (TLS) Failed reading from OpenSSL: error:14094438:SSL 
routines:ssl3_read_bytes:tlsv1 alert internal error
(27) eap_tls: (TLS) In Handshake Phase
(27) eap_tls: (TLS) Application data.
(27) eap_tls: ERROR: (TLS) Cannot continue, as the peer is misbehaving.
(27) eap_tls: ERROR: [eaptls process] = fail
(27) eap: ERROR: Failed continuing EAP TLS (13) session.  EAP sub-module 
failed
(27) eap: Sending EAP Failure (code 4) ID 4 length 4
(27) eap: Failed in EAP select
(27)     [eap] = invalid
(27)   } # authenticate = invalid
(27) Failed to authenticate the user
(27) Using Post-Auth-Type Reject

There was another message about problem with freeradius 3.0 so I also 
upgraded the freeradius packages under Rocky with the ones available at 
https://networkradius.com/packages/#fr32-rocky and there wasn't any change.

I simplied my radius configuration to the ones in the 
https://github.com/geteduroam/radius-server repo.

ca.pem is the output from "bin/get-signingca.php  radius.alliancecan.ca"

server.pem and server.key are the output from "bin/server-sign.php 
alliancecan.ca days_valid=1095"

Am I doing something wrong?

From: Paul Dekkers <paul.dekkers AT surf.nl>
Sent: Thursday, August 18, 2022 5:24 AM
To: Darren Boss <Darren.Boss AT alliancecan.ca>; geteduroam AT lists.geant.org 
<geteduroam AT lists.geant.org>; Jørn Åne de Jong <jornane.dejong AT surf.nl>
Subject: Re: Problem with certificates generated 
 
Hi,
Ah, so I think you're maybe running with Apache? Apache by default filters 
out the Authorization: header. I believe you can add
SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
To your VirtualHost to pass the header to PHP.
I'm using nginx myself, and the documentation assumes lighttpd, but I can 
imagine you try with your favorite webserver and stumble upon this.
Regards,
Paul

On 17/08/2022 21:25, Darren Boss (via geteduroam Mailing List) wrote:
Got the response body logged via mod_security:
{
    "error": "invalid_request",
    "error_description": "Missing SERVER parameter HTTP_AUTHORIZATION"
}

This is the cause of the 400 error on the Debian vm.

From: geteduroam-request AT lists.geant.org <geteduroam-request AT lists.geant.org> 
on behalf of Jørn Åne de Jong <geteduroam AT lists.geant.org>
Sent: Wednesday, August 17, 2022 9:14 AM
To: geteduroam AT lists.geant.org <geteduroam AT lists.geant.org>
Subject: Re: Problem with certificates generated 
 
On 17/08/2022 14:54, Darren Boss (via geteduroam Mailing List) wrote:

I redeployed the portal on Debian 11.4 (Bullseye) but now I'm getting a error 
400 on the call from the Android app to /api/eap-config/. I decided to log 
the Authorization header to a custom log and was able to decode it using a 
JWT decoder. Looks fine, sub claim is my email address (using email nameid 
from Azure AD). Including the decoded JWT in case it's something obvious:

{
    "__t": "access_token",
    "iat": "1660739494",
    "sub": "Darren.Boss AT alliancecan.ca",
    "realm": "alliancecan.ca",
    "scope": "eap-metadata",
    "code_challenge_method": "S256",
    "code_challenge": "LQpjYE1ZjYAC6i9OwaU3OFYUBR9-rV-X0ohvYcXpLi4",
    "client_id": "app.eduroam.geteduroam",
    "redirect_uri": "app.eduroam.geteduroam:/",
    "exp": "1676637094"
}

jwt.io is flagging the dates as invalid but they look right to me and the iat 
matches the date of the apache log entry.

I think the dates are supposed to be ISO strings.  I'll fix that in a 
future release, but it's not really a problem since we don't need 
interoperability with other solutions.

Error 400 means typically something wrong with the OAuth request.  Can 
you find the answer body?  It should tell you what's wrong.

--
Jørn Åne de Jong
geteduroam