Certificate information

Franks Andy (IT Technical Architecture Manager) Andy.Franks at sath.nhs.uk
Mon Mar 30 11:31:54 CEST 2015


Hi all,
  Using FR v3.1.0.
  I was wondering if there is any way I could read a TLS client
certificate field (probably MS specific) called "Certificate Template
Information". We have an M$ CA (for now), and one of the strings within
this field contains the name of the certificate template, which I want
to check, to make sure that people aren't making up their own cert
templates and randomly giving wireless access to people in the wrong way
(I have good reason). 

A less satisfactory way of doing this would be by checking the EKUs
matched the template I was using, as the other templates I've found
don't have quite the same makeup there.

I tried all the specific dictionary TLS-* , including the seemingly EKU
specific one, and they are largely empty. I also can't base it on OU
structure as some certs are based on device names and some on AD users.

I would like to do this via the named Template Information field if
possible, since this also contains other useful stuff.

I presume I can't do what I'm trying to achieve? The obvious thing would
be to stop other people issuing certs, but I may as well learn to code C
properly and rewrite the module, it would be easier :-)


EXPAND %{TLS-Cert-Subject-Alt-Name-Email}
(7)    -->
(7)     Reply-Message += ""
(7) EXPAND %{TLS-Cert-Subject-Alt-Name-Dns}
(7)    -->
(7)     Reply-Message += ""
(7) EXPAND %{TLS-Cert-Subject-Alt-Name-Upn}
(7)    -->
(7)     Reply-Message += ""
(7) EXPAND %{TLS-Client-Cert-Filename}
(7)    -->
(7)     Reply-Message += ""
(7) EXPAND %{TLS-Client-Cert-Subject-Alt-Name-Email}
(7)    -->
(7)     Reply-Message += ""
(7) EXPAND %{TLS-Client-Cert-X509v3-Extended-Key-Usage}
(7)    -->
(7)     Reply-Message += ""
(7) EXPAND %{TLS-Client-Cert-X509v3-Subject-Key-Identifier}
(7)    -->
(7)     Reply-Message += ""
(7) EXPAND %{TLS-Client-Cert-X509v3-Authority-Key-Identifier}
(7)    -->
(7)     Reply-Message += ""
(7) EXPAND %{TLS-Client-Cert-X509v3-Basic-Constraints}
(7)    -->
(7)     Reply-Message += ""
(7) EXPAND %{TLS-Client-Cert-Subject-Alt-Name-Dns}
(7)    -->
(7)     Reply-Message += ""

Thanks very much
Andy.


More information about the Freeradius-Users mailing list