On Feb 13, 2023, at 5:08 AM, Dentzer, Daniel <Dentzer@cpa.de> wrote:
I'm configuring a freeradius server for authenticating Wifi clients with EAP-TLS. The solution should check certificates with EAP-TLS and everything is working fine, but checking the "extended key usage" to reply with a specific VLAN is not working as expected.
The debug output prints out everything it's doing. Read it carefully.
So in my site config I have:
Configuration doesn't matter.
In the log I see that the Attribute is in the tls-cert: freeradius | (342) eap_tls: TLS-Client-Cert-Subject-Alt-Name-Dns := "user.XY.xxxxx.de" freeradius | (342) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web Client Authentication, 1.3.6.1.4.1.311.21.8.16510850.12376249.15288979.13711710.10124257.18.15210945.7" freeradius | (342) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "1.3.6.1.5.5.7.3.2" freeradius | (342) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "1.3.6.1.4.1.311.21.8.16510850.12376249.15288979.13711710.10124257.18.15210945.2"
Packet 342.
But when I scroll down, I see that the result of the if-check is false: ... freeradius | (343) if (TLS-Client-Cert-X509v3-Extended-Key-Usage-OID == "1.3.6.1.4.1.311.21.8.16510850.12376249.15288979.13711710.10124257.18.15380538.1") { freeradius | (343) if (TLS-Client-Cert-X509v3-Extended-Key-Usage-OID == "1.3.6.1.4.1.311.21.8.16510850.12376249.15288979.13711710.10124257.18.15380538.1") -> FALSE
Packet 343. These are different packets, with different contents. The server saves the TLS certificate data in the session-state list. So do: if (&session-state.TLS-Client-Cert-X509v3-Extended-Key-Usage-OID == ... That should work. See also raddb/policy.d/debug. You can use the policies there to print out the contents of the various lists. i.e. debug_session_state if (&session-state.TLS-Client-Cert-X509v3-Extended-Key-Usage-OID == ... That tells you exactly what's in the list, and whether or not the "if" condition will pass. Alan DeKok.