On Sat, 16 Feb 2019 at 03:33, Alan DeKok <aland@deployingradius.com> wrote:
I'm interested in radius clients identification. Is it possible to get radius client id in radius config section that support unlang? For example CN or fingerprint from radius client certificate, like its by done for EAP-TLS request.
Yes. See the GitHub issue Brian pointed you to. I'll go update the documentation in the virtual server.
Thank you for answers. I have one problem left - can't figure out how to access to %{listen:...} strings. In virtual site configuration that referenced in `tls` file I added these strings `` authorize { %{listen:TLS-Client-Cert-Common-Name} %{listen:TLS-Client-Cert-CN} %{listen:TLS-Client-Cert-Subject} %{listen:TLS-Client-Cert-Subject-Alt-Name-Dns} ... ``` In debug output I see this ``` Waking up in 29.4 seconds. (0) Application data status 7 (0) tls_recv: Access-Request packet from host 172.20.0.1 port 42601, id=1, length=118 Threads: total/active/spare threads = 5/0/5 Waking up in 0.3 seconds. Thread 4 got semaphore Thread 4 handling request 0, (1 handled so far) (0) Received Access-Request Id 1 from 172.20.0.1:42601 to 0.0.0.0:2083 length 118 (0) User-Name = "testing" (0) NAS-Identifier = "foo" (0) Called-Station-Id = "testid" (0) MS-CHAP-Challenge = 0x716a0175a2d80c7d (0) MS-CHAP-Response = 0x00010000000000000000000000000000000000000000000000005a24ab85f026fae15e930276c4129556fc5e9c355ec01735 (0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/testing-stie (0) authorize { (0) Listener does not contain config item "TLS-Client-Cert-Common-Name" (0) EXPAND %{listen:TLS-Client-Cert-Common-Name} (0) --> (0) Listener does not contain config item "TLS-Client-Cert-CN" (0) EXPAND %{listen:TLS-Client-Cert-CN} (0) --> (0) Listener does not contain config item "TLS-Client-Cert-Subject" (0) EXPAND %{listen:TLS-Client-Cert-Subject} (0) --> (0) Listener does not contain config item "TLS-Client-Cert-Subject-Alt-Name-Dns" (0) EXPAND %{listen:TLS-Client-Cert-Subject-Alt-Name-Dns} (0) --> ``` Certificate that is used by radsecproxy has values for CN `Subject: C = GB, ST = England, O = First CA, CN = radsecclient.local` What I do wrong?