v4: Can't see TLS certificate fields from `send Access-Accept` section anymore

Alan DeKok aland at deployingradius.com
Wed Feb 17 03:51:29 CET 2021 

On Feb 16, 2021, at 9:22 PM, Nick Bogdanov <nickrbogdanov at gmail.com> wrote:
> 
> I am using EAP-TLS authentication and trying to read the
> %{session-state.TLS-Client-Cert-Subject} attribute in order to set the
> reply.Tunnel-Private-Group-Id field.  In v3 I could just add this to
> my post-auth section:

  To be honest... v4 is under major development.  We do have tests for all kinds of things.  But not everything works the same as in v3, and not everything is finished.  So it's "buyer beware".

>        if (TLS-Client-Cert-Subject =~ /\/OU=VLAN 1\//) {
>                update reply {
>                        &Tunnel-Private-Group-Id = "1"
>                }
>        }
> 
> In v4 I can see the cert fields in the `recv Access-Request` section
> (after setting `virtual_server = default` in mods-available/eap) but
> they are all empty when I try to read them from the `send
> Access-Accept` section.  In fact, if I uncomment these sections from
> the default config, the fields are all empty too:

  Look at the debug output.  You should be able to see when these attributes are added (or not).

  For example, I see:

(6.0)    eap.tls - Continuing EAP-TLS
(6.0)    eap.tls - Got final TLS record fragment (1383 bytes)
(6.0)    eap.tls - [eap-tls verify] = complete
(6.0)    eap.tls - Handshake state - Server SSLv3/TLS write server done (26)
(6.0)    eap.tls - <<< recv TLS 1.2, handshake[length 2381], unknown_handshake_type_0x000b
(6.0)    eap.tls - Adding certificate attributes to session-state
(6.0)    eap.tls -   &session-state.TLS-Client-Cert-Serial = "03"
(6.0)    eap.tls -   &session-state.TLS-Client-Cert-Expiration = "Feb  6 1970 11:23:13 UTC"

> I am running git rev 89b77dc09571cb4ac3cd4d639aee6c17bea23182, built
> from source.  I saw something in upgrade.adoc about using the `filter`
> directive but it wasn't clear to me what that meant.

  See:

 doc/antora/modules/reference/pages/unlang/filter.adoc
doc/antora/modules/reference/pages/unlang/update.adoc

  In v4, this is *extensively* documented.

>  Am I missing
> something simple or is this a bug?

  It's not clear.  The full debug output should help.

  Alan DeKok.

More information about the Freeradius-Users mailing list