Hi Alan (sorry, called you Alex!), Looks like that did the trick. Much thanks to Matthew for the RegEx, passed it along to a dev here and confirmed that's what we want. See success below. Off to learning CRLs and removing all non-EAP-TLS authentication mechanisms. After that, I should have the server functioning the way that was requested of me. Thank you all for helping me along. Take Care, Matthew --- (9) # Executing section authorize from file /etc/raddb/sites-enabled/check-eap-tls (9) authorize { (9) update control { (9) Auth-Type := Reject (9) } # update control = noop (9) if (&TLS-Client-Cert-Subject =~ /[@\.]acme.com$/) (9) if (&TLS-Client-Cert-Subject =~ /[@\.]acme.com$/) -> TRUE (9) if (&TLS-Client-Cert-Subject =~ /[@\.]acme.com$/) { (9) update control { (9) Auth-Type := Accept (9) } # update control = noop (9) } # if (&TLS-Client-Cert-Subject =~ /[@\.]acme.com$/) = noop (9) auth_log : EXPAND /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d (9) auth_log : --> /var/log/radius/radacct/10.XX.XX.123/auth-detail-20160915 (9) auth_log : /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.XX.XX.123/auth-detail-20160915 (9) auth_log : EXPAND %t (9) auth_log : --> Thu Sep 15 14:31:48 2016 (9) [auth_log] = ok (9) } # authorize = ok (9) Found Auth-Type = Accept (9) Auth-Type = Accept, accepting the user (9) Reply: (9) } # server check-eap-tls (9) eap_tls : Saving session 6ab28a6057925904eb95751778913a2f16f0ebe38f6e4d4d2699a5731696f1b6 vps 0x7fad652e3110 in the cache (9) eap : Freeing handler (9) [eap] = ok (9) } # authenticate = ok On Thu, Sep 15, 2016 at 1:50 PM, Matthew West <matthew.t.west@gmail.com> wrote:
Hi Alex,
if you read mods-enabled/eap you'll go to the tls {} section and see the bit that says
# # As part of checking a client certificate, the EAP-TLS # sets some attributes such as TLS-Client-Cert-CN. This # virtual server has access to these attributes, and can # be used to accept or reject the request. # # virtual_server = check-eap-tls
*blushes* I don't know how I missed that!
Thank you! Back to testing.
Matthew
On Thu, Sep 15, 2016 at 1:31 PM, <A.L.M.Buxey@lboro.ac.uk> wrote:
Hi,
I've placed a symlink in /etc/raddb/sites-enabled to /etc/raddb/sites-available for the check-eap-tls virtual server.
aye...but the server needs to know to send the packet to it....so you need to configure the eap module appropriately,.
if you read mods-enabled/eap you'll go to the tls {} section and see the bit that says
# # As part of checking a client certificate, the EAP-TLS # sets some attributes such as TLS-Client-Cert-CN. This # virtual server has access to these attributes, and can # be used to accept or reject the request. # # virtual_server = check-eap-tls
eap { <snip>
# Linked to sub-module rlm_eap_tls tls { tls = "tls-common" }
<snip>
uncomment.
enjoy
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html