FreeRADIUS EAP-TLS Lookup Client Cert From LDAP DIT

Jeff Doyle j at telepaths.org
Mon Nov 21 16:11:07 CET 2011


This does help greatly, thanks Phil.



On Oct 15, 2011, at 4:41 AM, Phil Mayers wrote:

> On 10/14/2011 10:43 PM, subcon wrote:
>> I've searched for this sort of posting, but found issues unrelated that
>> responded to my search string, so I decided to post it here.
>> 
>> OK, currently I have Radius authenticating LDAP users via PAP.  Works great.
>> 
>> Imagine I want to store x509 certificate data (specifically a client
>> certificate) in an attribute in LDAP (perhaps as a binary attribute, etc).
>> 
>> I would like FreeRADIUS, should it be passed a client certificate INSTEAD of
>> a user/pass, to take the DN of the cert and match it to some attribute which
>> contains said DN and cert-data.
> 
> Ok. It's been a while since I looked at this, but IIRC there is some special search/attribute syntax support in (some) LDAP servers for X.509 certs in the DIT.
> 
>> 
>> The ultimate goal of all of this is to allow the continued use of LDAP and
>> store the certificates (to be compared against) in the tree and not on some
>> filesystem basis.
>> 
>> Note that I want FreeRADIUS to continue supporting PAP user/pass auth, but
>> only as a secondary fall-back (e.g: customer doesn't have client cert
>> installed on machine, but has a user and password).
>> 
>> Is this possible? Does this make sense to you? Let me know if I need to
>> re-explain anything.
> 
> I think it should be possible.
> 
> First, ensure you're running the most recent version of FreeRADIUS. When you've done that, you will have two options:
> 
> 1. You can examing the "TLS-Client-Cert-Subject" variable in a FreeRADIUS unlang policy, and possibly use this to query your LDAP server via LDAP xlat. For example:
> 
> authorize {
>    ...
>    eap
>    if (TLS-Client-Cert-Subject) {
>      # we've done enough EAP-TLS to know the client cert
>      update request {
>        Tmp-String-0 := "%{ldap:ldap:///basedn?cn?sub?certsubject=%{TLS-Client-Cert-Subject}}"
>      }
>      if (Tmp-String-0) {
>        # cert was found in LDAP
>        ok
>      }
>      else {
>        reject
>      }
>    }
>  ]
> 
> However, I'm not certain the TLS-* attributes (see sites-available/default in a recent version of the server) are available in the authorize section - I have a feeling they are only present in post-auth, by which time it's too late to reject them, so...
> 
> 2. Use the "verify" config of the "tls" module under "eap", and use an external script to perform the check against LDAP. For example:
> 
>  eap {
>    tls {
>      verify {
>        client = "/path/to/script %{TLS-Client-Cert-Filename}"
>      }
>    }
>  }
> 
> ...then your script can use the (temporary) file given in the 1st argument to query against LDAP.
> 
> Hope this helps.
> 
> Cheers,
> Phil
> 
>> 
>> Thank you,
>> 
>> subcon
>> 
>> --
>> View this message in context: http://freeradius.1045715.n5.nabble.com/FreeRADIUS-EAP-TLS-Lookup-Client-Cert-From-LDAP-DIT-tp4904006p4904006.html
>> Sent from the FreeRadius - User mailing list archive at Nabble.com.
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>> 
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html





More information about the Freeradius-Users mailing list