Sometimes you may want to know census-style data across RADIUS realms like: what key sizes do EAP servers out there have? Does everyone have a subjectAltName:DNS in addition to CN? To do that, modest amount of scripting with eapol_test can help you find out about that.

Let's assume you have a list of realms you want to check, with one realm in one line of a file, named probe_identities.txt hereafter:

probe_identities.txt
user@realm1.tld
anonymous@realm2.tld
@realm.aq
anon123@anotherrealm.aq


With that, the following set of bash scripts gives you the openssl text output for all the certificates behind all the realms. It is chopped into distinct scripts to make repeat runs easier, so you don't have to run everything. Especially the one with eapol_test probing takes a little while for many realms.

The first scripts prepares a directory structures and a config file for eapol_test:

bootstrap.sh
#!/bin/bash

# realms for probe_identities.txt extracted from CAT DB with:
#
# SELECT realm FROM profile WHERE checkuser_outer != 1 UNION SELECT CONCAT(checkuser_value, SUBSTRING(realm,INSTR(realm,'@'))) FROM profile WHERE checkuser_outer = 1\G

for REALM in `cat probe_identities.txt`; do
        echo "$REALM ..."
        mkdir -p "RUN/$REALM/certs"
        cat wpa_probe.conf.template | sed s/REALM/$REALM/ > "RUN/$REALM/wpa_probe.conf"
done
wpa_probe.conf.template
# this needs an arbitrary client certificate inside a file "clientcert.p12" with a matching passphrase in private_key_password
# without those two, you need to remove eap=TLS from the list, and can't probe servers supporting exclusively EAP-TLS

network={
  ssid="eduroam"
  key_mgmt=WPA-EAP
  eap=TLS PEAP TTLS
  pairwise=CCMP TKIP
  group=CCMP TKIP
  phase2="auth=MSCHAPV2"
  identity="stefan@test"
  anonymous_identity="REALM"
  private_key="./clientcert.p12"
  private_key_passwd="UQ8QUD"
  password="UQ8QUD"
}


The second script then actually executes eapol_test and stores the received certificates in a file per realm. After having run it once, don't run it again - better post-process the results to your liking.

run.sh
#!/bin/bash
for REALM in `cat probe_identities.txt`; do
        eapol_test -C'eduroam OT Monitoring'  -N89 -t 25 -a 1.2.3.4 -s mysecret -c "RUN/$REALM/wpa_probe.conf" -M22:44:66:00:00:99 -o "RUN/$REALM/certs/incoming.pem"
done

The third script prints all the openssl text output. You may want to run it with error redirection to /dev/null - some realms may not give you a cert (Microsoft NPS and disliking outer IDs...) so there's some rubbish to be ignored. And you may want to pipe the output to a result file.

printservercerts.sh
#!/bin/bash
for REALM in `cat probe_identities.txt`; do
        if [ -s "RUN/$REALM/certs/incoming.pem" ]; then
                tac "RUN/$REALM/certs/incoming.pem" | grep -B 1000 -m 1 "BEGIN CERTIFICATE" | tac | openssl x509 -noout -text | tee "RUN/$REALM/certs/servercert.txt"
        fi
done

Here is one concrete application: for all the certs received, print the Subject and whether or not the cert contains a subjectAlternativeName - if not, the server name is only stored in CN, which was of interest once when it came to API usage of geteduroam on Android.

CN-SAN-eval.sh
#!/bin/bash
./printservercert.sh 2>/dev/null | egrep '(Subject:|X509v3 Subject Alternative Name:)' 2>/dev/null > namelist.txt
for REALM in `cat probe_identities.txt`; do
        if [ -f "RUN/$REALM/certs/servercert.txt" ]; then grep 'X509v3 Subject Alternative Name:' "RUN/$REALM/certs/servercert.txt" >/dev/null 2>&1|| echo "Server Certificate of realm $REALM does not have sAN."; fi
done
echo -n "Total number of certificate Subjects seen: "
cat namelist.txt | grep Subject: | wc -l
echo -n "Total number of certificates with subjectAltNames seen: "
cat namelist.txt | grep X509v3 | wc -l
  • No labels