Franks Andy (IT Technical Architecture Manager)
Andy.Franks at sath.nhs.uk
Mon Mar 30 17:28:21 CEST 2015
I need to be clearer on this obviously. We have a situation where one or two senior engineers are changing infrastructure and not being open about it, they do not want to do the "teamwork" thing and I politically cannot force them to do so since they operate at the same level as me, hence me trying to check the certificate presented to see if it fell into the "acceptable" template created at the project start. It's not ideal, but the technology route will be quicker route to resolution. Politics!
End users cannot create certificates.
I'll re-read the docs, but the sites-enabled/default seems to be the main place where the TLS-* attributes are mentioned.
Not sure about the 3.1.0 thing - my version says:
freeradius: FreeRADIUS Version 3.1.0 (git #1411859), for host x86_64-unknown-linux-gnu, built on Aug 5 2014 at 17:42:11
Copyright (C) 1999-2014 The FreeRADIUS server project and contributors
Thanks as always
From: Freeradius-Users [mailto:freeradius-users-bounces+andy.franks=sath.nhs.uk at lists.freeradius.org] On Behalf Of Michael Ströder
Sent: 30 March 2015 14:14
To: FreeRadius users mailing list
Subject: Re: Certificate information
Franks Andy (IT Technical Architecture Manager) wrote:
> I was wondering if there is any way I could read a TLS client
> certificate field (probably MS specific) called "Certificate Template
> Information". We have an M$ CA (for now), and one of the strings
> within this field contains the name of the certificate template, which
> I want to check, to make sure that people aren't making up their own
> cert templates and randomly giving wireless access to people in the
> wrong way (I have good reason).
I think your idea is the completely wrong approach for the problem. Make sure you have your PKI under your control => ensure that "people" cannot make up their own cert templates.
More information about the Freeradius-Users