Hi Stefan, Matthew, and All,
# As part of checking a client certificate, the EAP-TLS # sets some attributes such as TLS-Client-Cert-CN. This # virtual server has access to these attributes, and can # be used to accept or reject the request. # # virtual_server = check-eap-tls
That pretty much gives it away :-)
:D Yes, that's what led me to check-eap-tls, but that file also says it can be handled in raddb/mods-available/eap. FR seems very flexible and programmer friendly. I'm just a lowly network guy, though I had enough programming in my CS undergrad to get dirty and mess stuff up. ;)
It's been a long time since I wrote that, but from memory I can't think of any reason why it wouldn't. The whole point of it is to check the client's cert, not the root/intermediates.
Yes, that would make sense and what the server seems to be doing.
It's all in the unlang man page. Use a regex.
OK, I was looking at the freeradius/networkradius wikis, I didn't know there was a man page for that. Thank you!
something more like if (&TLS-Client-Cert-Subject =~ /[@\.]acme.com$/) { update config { use "update control". "config" is obsolete.
Great, I have some resources locally that can help me troubleshoot the specifics of the regex.
I would do it the other way around.
update control { Auth-Type := Reject }
if (&TLS-Client-Cert-Subject =~ /[@\.]acme.com$/) { update control { Auth-Type := Accept
Will the process run through the whole virtual server file before returning the Auth-Type? Is that why one can set an accept after a reject? Thank you all again for helping me learn more about FreeRADIUS. I promise I spend at least a couple hours going through documentation before posting here; I respect your time and knowledge. Thank You, Matthew West On Thu, Sep 15, 2016 at 2:50 AM, Matthew Newton <mcn4@leicester.ac.uk> wrote:
On Wed, Sep 14, 2016 at 04:01:46PM -0700, Matthew West wrote:
/etc/raddb/sites-available/check-eap-tls appears to be the correct virtual server to do the check.
Yes.
The information I am looking to check against is in the value-pair: TLS-Client-Cert-Subject. When checking the debug, I found the information I'm looking for at chain-depth=0 in the chain (the first two certs are the primary CA and intermediate CA). Will check-eap-tls use the information at chain-depth=0?
It's been a long time since I wrote that, but from memory I can't think of any reason why it wouldn't. The whole point of it is to check the client's cert, not the root/intermediates.
Use
debug_request
to see what attributes you can check.
I would like to check the subject only for the inclusion of our domain, acmetech.com, but am new to string manipulation using unlang. I would like the function to work as following, but don't have the syntax correct.
It's all in the unlang man page. Use a regex.
if ("%{TLS-Client-Cert-Subject}" == (* + "acme.com") {
something more like
if (&TLS-Client-Cert-Subject =~ /[@\.]acme.com$/) {
update config {
use "update control". "config" is obsolete.
Auth-Type := Accept } } else { update config { Auth-Type := Reject } update reply { Reply-Message := "Your certificate is not valid." }
This won't ever get seen by the client, so probably isn't worth doing.
}
I would do it the other way around.
update control { Auth-Type := Reject }
if (&TLS-Client-Cert-Subject =~ /[@\.]acme.com$/) { update control { Auth-Type := Accept } }
Matthew
-- Matthew Newton, Ph.D. <mcn4@leicester.ac.uk>
Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html