On Thu, Aug 29, 2013 at 02:48:59PM +0100, Phil Mayers wrote:
On 29/08/13 14:25, Axel Thimm wrote:
On Thu, Aug 29, 2013 at 02:12:35PM +0100, Phil Mayers wrote:
Otherwise, you could look at the "verify { }" stanza of the "tls { }" block in eap.conf; this allows you to run an external script once you've got the client cert, and there you can write any code you want to access the various issuer/subject fields.
Thanks, I'm already using it for other purposes. But do I have the request data at hand to check for the requested SSID?
It's run using the standard exec helper, so it has access to all the stuff that a normal exec module has; specifically there should be environment variables matching each request attribute, mangled into upper-case + underscores.
e.g.
Calling-Station-Id
...should appear as:
CALLING_STATION_ID
Suggest you try it and see.
Thank you, that looks very promising!
Or is there a way to set variables in this script to check later in the authorize section's modules (with an exec script)?
No. The output of the verify script is thrown away, so in that respect it's not like a normal exec. It's a binary yes/no.
Obviously you could work around this; you could set a request variable to a unique value e.g. timestamp+random, have your verify{} script use that as the basis of a filename to dump the info to, then read it with *another* exec module lower down.
That is very nasty! I love it! :) I'll try to go with the verify for now.
Or you could abandon the prejudice against upgrading because "it's supported" (support you're not taking advantage of, I might add, since you're asking here) and upgrade to 2.2.0 which, IIRC, has those patches in.
For systems I know I will be the long term support I can talk to the customer and he will agree to have me patch up specific binaries, but in this case I'm just setting this up. -- Axel.Thimm at ATrpms.net