OK, for all interested, I solved it this way: In post-auth-section: if (TLS-Client-Cert-X509v3-Extended-Key-Usage-OID) { foreach &TLS-Client-Cert-X509v3-Extended-Key-Usage-OID { update session-state { &TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "%{Foreach-Variable-0}" } } } And for the check something like: if(&session-state:TLS-Client-Cert-X509v3-Extended-Key-Usage-OID[*] == "1.3.6.1.4.1....."){ ... } This way I can use different types of certificates (automatically distributed by a windows CA depending on AD-groups) for different groups of computers. We're able to authenticate the computers (actually only wifi) and assign VLANs depending on AD-Groups. Mit freundlichen Grüßen Daniel Dentzer -----Original Message----- From: Freeradius-Users <freeradius-users-bounces+dentzer=cpa.de@lists.freeradius.org> On Behalf Of Alan DeKok Sent: Montag, 27. Februar 2023 19:34 To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: How to check the Extended Key Usage in freeradius? On Feb 27, 2023, at 4:18 AM, Dentzer, Daniel <Dentzer@cpa.de> wrote:
It seems that this doesn't work for me.
Read the debug log. If there's an extended key usage OID, it will show up as TLS-Client-Cert-X509v3-Extended-Key-Usage-OID. If there's no extended key usage OID, them it won't show up.
In the session-state is only TLS-Session-Information, TLS-Session-Cipher-Suite, TLS-Session-Version. But it seems I can work directly with TLS-Client-Cert-Issuer and TLS-Client-Cert-Subject-Alt-Name-Dns, but not with TLS-Client-Cert-X509v3-Extended-Key-Usage-OID.
Does it exist? Does it show up in the debug log? The debug log shows every TLS related attribute it creates.
Is there a way to get TLS-Client-Cert-X509v3-Extended-Key-Usage-OID - in the session-state
Does it exist?
(see below ' (11) policy debug_session_state {') Or - like TLS-Client-Cert-Issuer to use it directly
Does TLS-Client-Cert-Issuer exist?
... freeradius | (10) eap_tls: (TLS) Creating attributes from server certificate freeradius | (10) eap_tls: TLS-Cert-Serial := "1400000002219c173715ec84d9000000000002" freeradius | (10) eap_tls: TLS-Cert-Expiration := "20511007092213Z" freeradius | (10) eap_tls: TLS-Cert-Valid-Since := "211007115340Z" freeradius | (10) eap_tls: TLS-Cert-Subject := "/DC=org/DC=example/CN=XY Sub CA" freeradius | (10) eap_tls: TLS-Cert-Issuer := "/C=xxx/ST=xxx/L=xxx/O=xxx/CN=XY Root CA" freeradius | (10) eap_tls: TLS-Cert-Common-Name := "XY Sub CA" freeradius | (10) eap_tls: (TLS) Creating attributes from client certificate freeradius | (10) eap_tls: TLS-Client-Cert-Serial := "16000028666eef874492e150cd000000002866" freeradius | (10) eap_tls: TLS-Client-Cert-Expiration := "240209105026Z" freeradius | (10) eap_tls: TLS-Client-Cert-Valid-Since := "230209105026Z" freeradius | (10) eap_tls: TLS-Client-Cert-Issuer := "/DC=org/DC=example/CN=XY Sub CA" freeradius | (10) eap_tls: TLS-Client-Cert-Subject-Alt-Name-Dns := "host1.XY.example.org" freeradius | (10) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web Client Authentication, 1.3.6.1.4.1.311.21.8.16510850.12376249.15288979.13711710.10124257.18.15210945.7" freeradius | (10) eap_tls: TLS-Client-Cert-X509v3-Subject-Key-Identifier += "29:AC:A7:3F:AD:4D:C1:29:E6:1D:0B:42:B5:69:2B:0C:B2:1E:EB:16" freeradius | (10) eap_tls: TLS-Client-Cert-X509v3-Authority-Key-Identifier += "keyid:C0:24:69:05:3E:2C:E0:26:AD:85:D9:9E:9D:16:B2:E8:4C:62:81:EC\n" freeradius | (10) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "1.3.6.1.5.5.7.3.2" freeradius | (10) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "1.3.6.1.4.1.311.21.8.16510850.12376249.15288979.13711710.10124257.18.15210945.7878633"
OK, that's good. For the initial creation, those attributes are in the request. For subsequent packets, they should be in the session-state list.
... freeradius | (11) Restoring &session-state freeradius | (11) &session-state:Framed-MTU = 1014 freeradius | (11) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" freeradius | (11) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" freeradius | (11) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" freeradius | (11) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" freeradius | (11) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest" freeradius | (11) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" freeradius | (11) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Certificate" freeradius | (11) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange" freeradius | (11) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, CertificateVerify" freeradius | (11) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished" freeradius | (11) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec" freeradius | (11) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished" freeradius | (11) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" freeradius | (11) &session-state:TLS-Session-Version = "TLS 1.2"
Hmm... you can always copy the attributes to the session-state list, where they will automatically be stored and restored. I'll have to check what's going on behind the scenes. It's been a while since I used v3 like this. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html