Config for TLS, TTLS and PEAP and subject validation
Hi I currently run FreeRADIUS 2.1.6 and have a working configuration for EAP-TTLS and PEAP that is used for a WPA2 network. In addition to that, I would like to allow our users to use their user certificate from a public issuer to connect using EAP-TLS. This means that I have to check if the subject contains our organisation. I read in previous threads about checking the subject in the authenticate section: authenticate { Auth-Type eap { eap if (!"%{TLS-Client-Cert-Subject}" =~ /\/O=MyCompany\// ) { reject } } } I have two questions about that: - This would belong in the "outer" request as there is no inner request with EAP-TLS, right? - What happens to requests that don't provide a client certificate (the users who still use EAP-TTLS or PEAP)? In conclusion, is there a way to distinguish between EAP-TLS requests and EAP-TTLS or PEAP requests? And if so, can I use a different server section for EAP-TLS? Thanks for help. Best regards, Daniel
Daniel Bertolo wrote:
I currently run FreeRADIUS 2.1.6 ... authenticate { Auth-Type eap { eap if (!"%{TLS-Client-Cert-Subject}" =~ /\/O=MyCompany\// ) {
That won't work in 2.1.6. You need at least 2.1.10.
- This would belong in the "outer" request as there is no inner request with EAP-TLS, right?
Yes.
- What happens to requests that don't provide a client certificate (the users who still use EAP-TTLS or PEAP)?
The TLS-Client-Cert-Subject is empty. You will need to check for EAP-TLS: if ((EAP-Type == EAP-TLS) && \ (%{TLS-Client-Cert-Subject}" !~ /\/O=MyCompany\//)) { ...
In conclusion, is there a way to distinguish between EAP-TLS requests and EAP-TTLS or PEAP requests? And if so, can I use a different server section for EAP-TLS?
Yes, and no. Alan DeKok.
participants (2)
-
Alan DeKok -
Daniel Bertolo