On Feb 16, 2021, at 9:22 PM, Nick Bogdanov <nickrbogdanov@gmail.com> wrote:
I am using EAP-TLS authentication and trying to read the %{session-state.TLS-Client-Cert-Subject} attribute in order to set the reply.Tunnel-Private-Group-Id field. In v3 I could just add this to my post-auth section:
To be honest... v4 is under major development. We do have tests for all kinds of things. But not everything works the same as in v3, and not everything is finished. So it's "buyer beware".
if (TLS-Client-Cert-Subject =~ /\/OU=VLAN 1\//) { update reply { &Tunnel-Private-Group-Id = "1" } }
In v4 I can see the cert fields in the `recv Access-Request` section (after setting `virtual_server = default` in mods-available/eap) but they are all empty when I try to read them from the `send Access-Accept` section. In fact, if I uncomment these sections from the default config, the fields are all empty too:
Look at the debug output. You should be able to see when these attributes are added (or not). For example, I see: (6.0) eap.tls - Continuing EAP-TLS (6.0) eap.tls - Got final TLS record fragment (1383 bytes) (6.0) eap.tls - [eap-tls verify] = complete (6.0) eap.tls - Handshake state - Server SSLv3/TLS write server done (26) (6.0) eap.tls - <<< recv TLS 1.2, handshake[length 2381], unknown_handshake_type_0x000b (6.0) eap.tls - Adding certificate attributes to session-state (6.0) eap.tls - &session-state.TLS-Client-Cert-Serial = "03" (6.0) eap.tls - &session-state.TLS-Client-Cert-Expiration = "Feb 6 1970 11:23:13 UTC"
I am running git rev 89b77dc09571cb4ac3cd4d639aee6c17bea23182, built from source. I saw something in upgrade.adoc about using the `filter` directive but it wasn't clear to me what that meant.
See: doc/antora/modules/reference/pages/unlang/filter.adoc doc/antora/modules/reference/pages/unlang/update.adoc In v4, this is *extensively* documented.
Am I missing something simple or is this a bug?
It's not clear. The full debug output should help. Alan DeKok.