On 12/26/2011 02:44 PM, vazoumana fofana wrote:
sorry, i ve got persistents problems :
- i filter client certificate under authenticate section (under eap) with : Auth-Type eap { if ( "%{TLS-Client-Cert-Subject}" =~ /OU=xxxxx/ ) { reject } }. Firstly, it s' written on "default" file : /Please do not put "unlang" configurations into the "authenticate" # section. Put them in the "post-auth" section instead. That's what # the post-auth section is for./ But, according to me , it's not right because i don't want to enter into post-auth. It must be rejected before.
This is not easy at the moment I'm afraid. Basically, the problem is that the "authorize" part of the "eap" module doesn't do much. All the work is done inside the "authenticate" section. This means that TLS-* attributes may not be present in "authorize". You are correct that performing a "reject" in "post-auth" is not the right thing to do. It might be an idea in future to add an "inner-tunnel" feature for EAP-TLS which sends a plain PAP packet with the TLS-* attributes, which allows this kind of checking. You need to use the "verify { }" option under the "tls { }" config to run an external script. Like so: eap { tls { verify { client = "/path/to/my/script ..." } } } This is documented with examples in eap.conf But really, you're doing it wrong. If you don't want a particular cert to authenticate, revoke it and use CRLs or OSCP. Why do you think you want to check the cert subject?