A few questions about radsec

work vlpl thework.vlpl at gmail.com
Mon Feb 18 18:31:54 CET 2019


On Sat, 16 Feb 2019 at 03:33, Alan DeKok <aland at deployingradius.com> wrote:

> > I'm interested in radius clients identification. Is it possible to get
> > radius client id in radius config section that support unlang? For
> > example CN or fingerprint from radius client certificate, like its by
> > done for EAP-TLS request.
>
>   Yes.  See the GitHub issue Brian pointed you to.  I'll go update the documentation in the virtual server.


Thank you for answers.

I have one problem left - can't figure out how to access to
%{listen:...} strings.

In virtual site configuration that referenced in `tls` file I added
these strings

``
authorize {
        %{listen:TLS-Client-Cert-Common-Name}
        %{listen:TLS-Client-Cert-CN}
        %{listen:TLS-Client-Cert-Subject}
        %{listen:TLS-Client-Cert-Subject-Alt-Name-Dns}
        ...
```

In debug output I see this

```
Waking up in 29.4 seconds.
(0) Application data status 7
(0) tls_recv: Access-Request packet from host 172.20.0.1 port 42601,
id=1, length=118
Threads: total/active/spare threads = 5/0/5
Waking up in 0.3 seconds.
Thread 4 got semaphore
Thread 4 handling request 0, (1 handled so far)
(0) Received Access-Request Id 1 from 172.20.0.1:42601 to 0.0.0.0:2083
length 118
(0)   User-Name = "testing"
(0)   NAS-Identifier = "foo"
(0)   Called-Station-Id = "testid"
(0)   MS-CHAP-Challenge = 0x716a0175a2d80c7d
(0)   MS-CHAP-Response =
0x00010000000000000000000000000000000000000000000000005a24ab85f026fae15e930276c4129556fc5e9c355ec01735
(0) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/testing-stie
(0)   authorize {
(0)     Listener does not contain config item "TLS-Client-Cert-Common-Name"
(0)     EXPAND %{listen:TLS-Client-Cert-Common-Name}
(0)        -->
(0)     Listener does not contain config item "TLS-Client-Cert-CN"
(0)     EXPAND %{listen:TLS-Client-Cert-CN}
(0)        -->
(0)     Listener does not contain config item "TLS-Client-Cert-Subject"
(0)     EXPAND %{listen:TLS-Client-Cert-Subject}
(0)        -->
(0)     Listener does not contain config item
"TLS-Client-Cert-Subject-Alt-Name-Dns"
(0)     EXPAND %{listen:TLS-Client-Cert-Subject-Alt-Name-Dns}
(0)        -->
```

Certificate that is used by radsecproxy has values for CN

`Subject: C = GB, ST = England, O = First CA, CN = radsecclient.local`

What I do wrong?


More information about the Freeradius-Users mailing list