On Wed, Sep 14, 2016 at 04:01:46PM -0700, Matthew West wrote:
/etc/raddb/sites-available/check-eap-tls appears to be the correct virtual server to do the check.
Yes.
The information I am looking to check against is in the value-pair: TLS-Client-Cert-Subject. When checking the debug, I found the information I'm looking for at chain-depth=0 in the chain (the first two certs are the primary CA and intermediate CA). Will check-eap-tls use the information at chain-depth=0?
It's been a long time since I wrote that, but from memory I can't think of any reason why it wouldn't. The whole point of it is to check the client's cert, not the root/intermediates. Use debug_request to see what attributes you can check.
I would like to check the subject only for the inclusion of our domain, acmetech.com, but am new to string manipulation using unlang. I would like the function to work as following, but don't have the syntax correct.
It's all in the unlang man page. Use a regex.
if ("%{TLS-Client-Cert-Subject}" == (* + "acme.com") {
something more like if (&TLS-Client-Cert-Subject =~ /[@\.]acme.com$/) {
update config {
use "update control". "config" is obsolete.
Auth-Type := Accept } } else { update config { Auth-Type := Reject } update reply { Reply-Message := "Your certificate is not valid." }
This won't ever get seen by the client, so probably isn't worth doing.
}
I would do it the other way around. update control { Auth-Type := Reject } if (&TLS-Client-Cert-Subject =~ /[@\.]acme.com$/) { update control { Auth-Type := Accept } } Matthew -- Matthew Newton, Ph.D. <mcn4@leicester.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>