<span class="Apple-style-span" style="font-family: arial, sans-serif; font-size: 13px; background-color: rgb(255, 255, 255); ">I have and EAP-TLS with rlm_perl scenario where I am authenticating users with their certificate and then use a perl script to do other checks from database. <div>
<br></div><div>My perl script is trying to access the TLS-client* and TLS-cert* attributes(by enabling run time TLS variable in sites-available/default) but when I test the scenario using eapol_test the reply message has fields blank. </div>
<div><br></div><div><div>My certificates are self signed certificates generated using 'make ca.pem' etc at certs in raddb.</div></div><div><br></div><div>Also, my perl script which for now is basic <a href="http://example.pl/" target="_blank" style="color: rgb(0, 0, 204); ">example.pl</a> with minor modifications in Reply-Message to see the values of run time variables. </div>
<div>e.g $RAD_REPLY{'Reply-Message'} = $RAD_RECV{'Calling-Station-Id'};</div><div><br></div><div>The statement does not give any output and just gets bypassed in the debug output. However if I change the right hand side with a string, it gets printed in the debug.</div>
<div>Is there any problem with accessing variables in my implementation ? </div><div><br></div><div>Trimmed output from radiusd -X concerning TLS-cert* is as follows, </div><div><br></div><div>Thank you,</div><div><br></div>
<div>Mrinal</div><div>-----------------------------------------</div><div><div>Tue Aug 9 04:42:58 2011 : Info: +- entering group post-auth {...}</div><div>Tue Aug 9 04:42:58 2011 : Info: ++[exec] returns noop</div><div>
Tue Aug 9 04:42:58 2011 : Info: expand: %{TLS-Cert-Serial} -></div><div>Tue Aug 9 04:42:58 2011 : Info: expand: %{TLS-Cert-Expiration} -></div><div>Tue Aug 9 04:42:58 2011 : Info: expand: %{TLS-Cert-Subject} -></div>
<div>Tue Aug 9 04:42:58 2011 : Info: expand: %{TLS-Cert-Issuer} -></div><div>Tue Aug 9 04:42:58 2011 : Info: expand: %{TLS-Cert-Common-Name} -></div><div>Tue Aug 9 04:42:58 2011 : Info: expand: %{TLS-Client-Cert-Serial} -></div>
<div>Tue Aug 9 04:42:58 2011 : Info: expand: %{TLS-Client-Cert-Expiration} -></div><div>Tue Aug 9 04:42:58 2011 : Info: expand: %{TLS-Client-Cert-Subject} -></div><div>Tue Aug 9 04:42:58 2011 : Info: expand: %{TLS-Client-Cert-Issuer} -></div>
<div>Tue Aug 9 04:42:58 2011 : Info: expand: %{TLS-Client-Cert-Common-Name} -></div><div>Tue Aug 9 04:42:58 2011 : Info: ++[reply] returns noop</div><div>Sending Access-Accept of id 7 to 67.87.22.149 port 54254</div>
<div> MS-MPPE-Recv-Key = 0x5c16515f5ed9b861dfbcf1516753c0e50d853786722d3b890e9d7d8ed52142de</div><div> MS-MPPE-Send-Key = 0x965411384d787ffe3f4f7cee9bbe33df08e9f98075c7a0ba8a1289edbecf2b0a</div><div> EAP-Message = 0x03070004</div>
<div> Message-Authenticator = 0x00000000000000000000000000000000</div><div> User-Name = "anonymous"</div><div> Reply-Message = ""</div><div> Reply-Message = ""</div>
<div> Reply-Message = ""</div><div> Reply-Message = ""</div><div> Reply-Message = ""</div><div> Reply-Message = ""</div><div> Reply-Message = ""</div>
<div> Reply-Message = ""</div><div> Reply-Message = ""</div><div> Reply-Message = ""</div><div>Tue Aug 9 04:42:58 2011 : Info: Finished request 7.</div></div></span><br>
<div class="gmail_quote">On Mon, Jul 4, 2011 at 7:00 AM, Fajar A. Nugraha <span dir="ltr"><<a href="mailto:list@fajar.net">list@fajar.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div class="im">On Mon, Jul 4, 2011 at 5:53 PM, Johannes Koepcke <<a href="mailto:impic@impic.org">impic@impic.org</a>> wrote:<br>
> Hey,<br>
><br>
> I'm running a freeradius2 server with mysql. Some users are authenticating via mschapv2 and some through eap-tls.<br>
> My problem is that for eap-tls, the actual username field doesn't matter, user's could specify anything as the username, as long as their certificates are valid. So I would like to log the name of the certificate owner instead of the radius username to my radpostauth table. How would I do that? Or do you recommend another way to accomplish what I'm trying to do?<br>
<br>
</div>Pasted from <a href="http://wiki.freeradius.org/Sites-configuration" target="_blank">http://wiki.freeradius.org/Sites-configuration</a>:<br>
<br>
# If there is a client certificate (EAP-TLS, sometimes PEAP<br>
# and TTLS), then some attributes are filled out after the<br>
# certificate verification has been performed. These fields<br>
# MAY be available during the authentication, or they may be<br>
# available only in the "post-auth" section.<br>
#<br>
# The first set of attributes contains information about the<br>
# issuing certificate which is being used. The second<br>
# contains information about the client certificate (if<br>
# available).<br>
#<br>
# update reply {<br>
# Reply-Message += "%{TLS-Cert-Serial}"<br>
# Reply-Message += "%{TLS-Cert-Expiration}"<br>
# Reply-Message += "%{TLS-Cert-Subject}"<br>
# Reply-Message += "%{TLS-Cert-Issuer}"<br>
# Reply-Message += "%{TLS-Cert-Common-Name}"<br>
#<br>
# Reply-Message += "%{TLS-Client-Cert-Serial}"<br>
# Reply-Message += "%{TLS-Client-Cert-Expiration}"<br>
# Reply-Message += "%{TLS-Client-Cert-Subject}"<br>
# Reply-Message += "%{TLS-Client-Cert-Issuer}"<br>
# Reply-Message += "%{TLS-Client-Cert-Common-Name}"<br>
# }<br>
<br>
<br>
I'm guessing what you're looking for is in %{TLS-Client-Cert-Common-Name}<br>
<br>
--<br>
<font color="#888888">Fajar<br>
</font><div><div></div><div class="h5"><br>
-<br>
List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/list/users.html</a><br>
</div></div></blockquote></div><br><br clear="all"><br>-- <br>-<br>