How to log "TLS name" instead of username

Mrinal K sinha.mrinal at gmail.com
Tue Aug 9 12:08:43 CEST 2011


I have and EAP-TLS with rlm_perl scenario where I am authenticating users
with their certificate and then use a perl script to do other checks from
database.

My perl script is trying to access the TLS-client* and TLS-cert*
attributes(by enabling run time TLS variable in sites-available/default) but
when I test the scenario using eapol_test the reply message has fields
blank.

My certificates are self signed certificates generated using 'make ca.pem'
etc at certs in raddb.

Also, my perl script which for now is basic example.pl with minor
modifications in Reply-Message to see the values of run time variables.
e.g $RAD_REPLY{'Reply-Message'} = $RAD_RECV{'Calling-Station-Id'};

The statement does not give any output and just gets bypassed in the debug
output. However if I change the right hand side with a string, it gets
printed in the debug.
Is there any problem with accessing variables in my implementation ?

Trimmed output from radiusd -X concerning TLS-cert* is as follows,

Thank you,

Mrinal
-----------------------------------------
Tue Aug  9 04:42:58 2011 : Info: +- entering group post-auth {...}
Tue Aug  9 04:42:58 2011 : Info: ++[exec] returns noop
Tue Aug  9 04:42:58 2011 : Info:        expand: %{TLS-Cert-Serial} ->
Tue Aug  9 04:42:58 2011 : Info:        expand: %{TLS-Cert-Expiration} ->
Tue Aug  9 04:42:58 2011 : Info:        expand: %{TLS-Cert-Subject} ->
Tue Aug  9 04:42:58 2011 : Info:        expand: %{TLS-Cert-Issuer} ->
Tue Aug  9 04:42:58 2011 : Info:        expand: %{TLS-Cert-Common-Name} ->
Tue Aug  9 04:42:58 2011 : Info:        expand: %{TLS-Client-Cert-Serial} ->
Tue Aug  9 04:42:58 2011 : Info:        expand:
%{TLS-Client-Cert-Expiration} ->
Tue Aug  9 04:42:58 2011 : Info:        expand: %{TLS-Client-Cert-Subject}
->
Tue Aug  9 04:42:58 2011 : Info:        expand: %{TLS-Client-Cert-Issuer} ->
Tue Aug  9 04:42:58 2011 : Info:        expand:
%{TLS-Client-Cert-Common-Name} ->
Tue Aug  9 04:42:58 2011 : Info: ++[reply] returns noop
Sending Access-Accept of id 7 to 67.87.22.149 port 54254
        MS-MPPE-Recv-Key =
0x5c16515f5ed9b861dfbcf1516753c0e50d853786722d3b890e9d7d8ed52142de
        MS-MPPE-Send-Key =
0x965411384d787ffe3f4f7cee9bbe33df08e9f98075c7a0ba8a1289edbecf2b0a
        EAP-Message = 0x03070004
        Message-Authenticator = 0x00000000000000000000000000000000
        User-Name = "anonymous"
        Reply-Message = ""
        Reply-Message = ""
        Reply-Message = ""
        Reply-Message = ""
        Reply-Message = ""
        Reply-Message = ""
        Reply-Message = ""
        Reply-Message = ""
        Reply-Message = ""
        Reply-Message = ""
Tue Aug  9 04:42:58 2011 : Info: Finished request 7.

On Mon, Jul 4, 2011 at 7:00 AM, Fajar A. Nugraha <list at fajar.net> wrote:

> On Mon, Jul 4, 2011 at 5:53 PM, Johannes Koepcke <impic at impic.org> wrote:
> > Hey,
> >
> > I'm running a freeradius2 server with mysql. Some users are
> authenticating via mschapv2 and some through eap-tls.
> > My problem is that for eap-tls, the actual username field doesn't matter,
> user's could specify anything as the username, as long as their certificates
> are valid. So I would like to log the name of the certificate owner instead
> of the radius username to my radpostauth table. How would I do that? Or do
> you recommend another way to accomplish what I'm trying to do?
>
> Pasted from http://wiki.freeradius.org/Sites-configuration:
>
>      #  If there is a client certificate (EAP-TLS, sometimes PEAP
>      #  and TTLS), then some attributes are filled out after the
>      #  certificate verification has been performed.  These fields
>      #  MAY be available during the authentication, or they may be
>      #  available only in the "post-auth" section.
>      #
>      #  The first set of attributes contains information about the
>      #  issuing certificate which is being used.  The second
>      #  contains information about the client certificate (if
>      #  available).
> #
> #     update reply {
> #            Reply-Message += "%{TLS-Cert-Serial}"
> #            Reply-Message += "%{TLS-Cert-Expiration}"
> #            Reply-Message += "%{TLS-Cert-Subject}"
> #            Reply-Message += "%{TLS-Cert-Issuer}"
> #            Reply-Message += "%{TLS-Cert-Common-Name}"
> #
> #            Reply-Message += "%{TLS-Client-Cert-Serial}"
> #            Reply-Message += "%{TLS-Client-Cert-Expiration}"
> #            Reply-Message += "%{TLS-Client-Cert-Subject}"
> #            Reply-Message += "%{TLS-Client-Cert-Issuer}"
> #            Reply-Message += "%{TLS-Client-Cert-Common-Name}"
> #     }
>
>
> I'm guessing what you're looking for is in %{TLS-Client-Cert-Common-Name}
>
> --
> Fajar
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>



-- 
-
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20110809/89d27ccf/attachment.html>


More information about the Freeradius-Users mailing list