Alan DeKok wrote:
David Mitchell wrote:
I've encountered a similar issue I'm not sure how to deal with. Is there a place I can log any attributes of the certificate?
Not at this moment. Patches are welcome.
I log my accounting records via linelog, and as long as the configuration I end up with forces something reasonable into the User-Name value I do log a username. But it occurs to me it might be nice to have some kind of record of the certificate which was used. Either the CN, or serial number, or something. Is there a way to do this?
Source code changes.
I believe I've found a better workaround for my original problem. By using the realm module, I can strip off the unwanted portion of the User-Name attribute. In sites-enabled/default enable the 'suffix' module as needed. In proxy.conf: # We don't actually care about the realm, we just need a match realm "~.+$" { authhost = LOCAL # not strictly necessary accthost = LOCAL # not strictly necessary } In eap.conf: # Check for either Stripped-User-Name or User-Name, as we don't know # which format the client will use. check_cert_cn = %{%{Stripped-User-Name}:-%{User-Name}}@%{Calling-Station-Id} Then issue certificates with a CN of the form username@1122.3344.5566. Most clients prompt the user for the value of User-Name, so they can just enter 'username'. XP sends the actual value of CN, but the realm strips the extra info back off so that we can do the comparison we want. -David
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- ----------------------------------------------------------------- | David Mitchell (mitchell@ucar.edu) Network Engineer IV | | Tel: (303) 497-1845 National Center for | | FAX: (303) 497-1818 Atmospheric Research | -----------------------------------------------------------------