References to TLS-Client-Cert-Common-Name
Hi, I am using the TLS-Client-Cert-Common-Name attribute to get client certificate common name value and use it in the authorize section. While it does read the issue attributes from CA that comes with it, it ignores the client attribute. How can I get the value of a client certificate? *Here is the debug output:* *Fri Apr 7 09:03:13 2023 : Debug: (5) EAP-Type = TLSFri Apr 7 09:03:13 2023 : Debug: (5) TLS-Client-Cert-Serial := "33ffb07c337ec3bc"Fri Apr 7 09:03:13 2023 : Debug: (5) TLS-Client-Cert-Expiration := "231109075300Z"Fri Apr 7 09:03:13 2023 : Debug: (5) TLS-Client-Cert-Valid-Since := "221109075300Z"Fri Apr 7 09:03:13 2023 : Debug: (5) TLS-Client-Cert-Subject := "/CN=cacert"Fri Apr 7 09:03:13 2023 : Debug: (5) TLS-Client-Cert-Issuer := "/CN=cacert"Fri Apr 7 09:03:13 2023 : Debug: (5) TLS-Client-Cert-Common-Name := "cacert"Fri Apr 7 09:03:13 2023 : Debug: (5) TLS-Client-Cert-X509v3-Basic-Constraints += "CA:TRUE"Fri Apr 7 09:03:13 2023 : Debug: (5) TLS-Client-Cert-X509v3-Subject-Key-Identifier += "FA:CF:53:D7:B0:54:5A:DA:12:A0:51:D4:C1:2B:10:C3:2F:C2:17:6E"Fri Apr 7 09:03:13 2023 : Debug: (5) TLS-Client-Cert-X509v3-Authority-Key-Identifier += "keyid:FA:CF:53:D7:B0:54:5A:DA:12:A0:51:D4:C1:2B:10:C3:2F:C2:17:6E\n"Fri Apr 7 09:03:13 2023 : Debug: (5) TLS-Client-Cert-Serial := "55deef44a81709aa"Fri Apr 7 09:03:13 2023 : Debug: (5) TLS-Client-Cert-Expiration := "231109075300Z"Fri Apr 7 09:03:13 2023 : Debug: (5) TLS-Client-Cert-Valid-Since := "221109075600Z"Fri Apr 7 09:03:13 2023 : Debug: (5) TLS-Client-Cert-Subject := "/CN=clientcert/emailAddress=client@example.com/serialNumber=ababab0123456 <http://client@example.com/serialNumber=ababab0123456>"Fri Apr 7 09:03:13 2023 : Debug: (5) TLS-Client-Cert-Issuer := "/CN=cacert"Fri Apr 7 09:03:13 2023 : Debug: (5) TLS-Client-Cert-Common-Name := "clientcert"Fri Apr 7 09:03:13 2023 : Debug: (5) TLS-Client-Cert-Subject-Alt-Name-Email := "clientcert@example.com <clientcert@example.com>"Fri Apr 7 09:03:13 2023 : Debug: (5) TLS-Client-Cert-Subject-Alt-Name-Dns := "clientcert.copy.com.example.com <http://clientcert.copy.com.example.com>"Fri Apr 7 09:03:13 2023 : Debug: (5) TLS-Client-Cert-X509v3-Basic-Constraints += "CA:FALSE"Fri Apr 7 09:03:13 2023 : Debug: (5) TLS-Client-Cert-X509v3-Subject-Key-Identifier += "AA:57:43:AC:9D:32:95:F8:DB:E5:4B:7A:8E:0F:D3:5C:52:42:14:EC"Fri Apr 7 09:03:13 2023 : Debug: (5) TLS-Client-Cert-X509v3-Authority-Key-Identifier += "keyid:FA:CF:53:D7:B0:54:5A:DA:12:A0:51:D4:C1:2B:10:C3:2F:C2:17:6E\n"Fri Apr 7 09:03:13 2023 : WARNING: (5) Outer and inner identities are the same. User privacy is compromised.Fri Apr 7 09:03:13 2023 : Debug: (5) server eap-tls-check {Fri Apr 7 09:03:13 2023 : Debug: (5) session-state: No cached attributesFri Apr 7 09:03:13 2023 : Debug: (5) # Executing section authorize from file /opt/freeradius/etc/raddb/sites-enabled/inner-tunnelFri Apr 7 09:03:13 2023 : Debug: (5) authorize {Fri Apr 7 09:03:13 2023 : Debug: (5) if ("%{sql:select assignmentvalue from radeaptlsvlan where (instr('%{TLS-Client-Cert-Common-Name}', assignmentvalue) > 0") {Fri Apr 7 09:03:13 2023 : Debug: rlm_sql (sql): Reserved connection (6)Fri Apr 7 09:03:13 2023 : Debug: rlm_sql (sql): Released connection (6)Fri Apr 7 09:03:13 2023 : Debug: rlm_sql (sql): Reserved connection (2)Fri Apr 7 09:03:13 2023 : Debug: rlm_sql (sql): Released connection (2)Fri Apr 7 09:03:13 2023 : Debug: rlm_sql (sql): Reserved connection (3)Fri Apr 7 09:03:13 2023 : Debug: rlm_sql (sql): Released connection (3)Fri Apr 7 09:03:13 2023 : Debug: rlm_sql (sql): Reserved connection (4)Fri Apr 7 09:03:13 2023 : Debug: rlm_sql (sql): Released connection (4)Fri Apr 7 09:03:13 2023 : Debug: %{User-Name}Fri Apr 7 09:03:13 2023 : Debug: Parsed xlat tree:Fri Apr 7 09:03:13 2023 : Debug: attribute --> User-NameFri Apr 7 09:03:13 2023 : Debug: (5) EXPAND %{User-Name}Fri Apr 7 09:03:13 2023 : Debug: (5) --> caglarFri Apr 7 09:03:13 2023 : Debug: (5) SQL-User-Name set to 'caglar'Fri Apr 7 09:03:13 2023 : Debug: rlm_sql (sql): Reserved connection (0)Fri Apr 7 09:03:13 2023 : Debug: (5) Executing select query: select assignmentvalue from radeaptlsvlan where (instr('cacert', assignmentvalue) > 0)* Regards, Caglar
On Apr 17, 2023, at 1:05 AM, Çağlar Karahan <karahancaglar94@gmail.com> wrote:
I am using the TLS-Client-Cert-Common-Name attribute to get client certificate common name value and use it in the authorize section. While it does read the issue attributes from CA that comes with it, it ignores the client attribute. How can I get the value of a client certificate?
If it doesn't show up in the debug output, then it's not in the certificate. Have you tried using the OpenSSL tools to look at the certificate? What's the common name there?
*Here is the debug output:*
<huge whitespace delete>
*Fri Apr 7 09:03:13 2023 : Debug: (5) EAP-Type = TLSFri Apr 7 09:03:13 2023 : Debug: (5) TLS-Client-Cert-Serial := "33ffb07c337ec3bc"Fri Apr 7 09:03:13 2023 : Debug: (5) TLS-Client-Cert-Expiration := "231109075300Z"Fri Apr 7 09:03:13 2023 : Debug: (5)
That isn't helpful. Alan DeKok.
As the screenshots of information about client certificate implies that client has its common name and also issuer's (CA) common name. And debug output shows that we get both attribute values with TLS-Client-Cert-Common-Name which are *cacert *and *clientcert*. While I want to use the TLS-Client-Cert-Common-Name attribute in the authorize section which is also shown in debug output. In the authorize section, the attribute returns issuer's common name instead of client's. Screenshots of information about client certificate: [image: image.png][image: image.png] Debug output: *Fri Apr 7 09:03:13 2023 : Debug: (5) TLS-Client-Cert-Common-Name := "cacert"* <huge whitespace delete> *Fri Apr 7 09:03:13 2023 : Debug: (5) TLS-Client-Cert-Common-Name := "clientcert"* *Fri Apr 7 09:03:13 2023 : Debug: (5) # Executing section authorize from file /opt/freeradius/etc/raddb/sites-enabled/inner-tunnelFri Apr 7 09:03:13 2023 : Debug: (5) authorize {Fri Apr 7 09:03:13 2023 : Debug: (5) if ("%{sql:select assignmentvalue from radeaptlsvlan where (instr('%{TLS-Client-Cert-Common-Name}', assignmentvalue) > 0") {Fri Apr 7 09:03:13 2023 : Debug: %{User-Name}Fri Apr 7 09:03:13 2023 : Debug: Parsed xlat tree:Fri Apr 7 09:03:13 2023 : Debug: attribute --> User-NameFri Apr 7 09:03:13 2023 : Debug: (5) EXPAND %{User-Name}Fri Apr 7 09:03:13 2023 : Debug: (5) --> caglarFri Apr 7 09:03:13 2023 : Debug: (5) SQL-User-Name set to 'caglar'Fri Apr 7 09:03:13 2023 : Debug: rlm_sql (sql): Reserved connection (0)Fri Apr 7 09:03:13 2023 : Debug: (5) Executing select query: select assignmentvalue from radeaptlsvlan where (instr('cacert', assignmentvalue) > 0)* Thanks, Alan DeKok <aland@deployingradius.com>, 17 Nis 2023 Pzt, 16:01 tarihinde şunu yazdı:
On Apr 17, 2023, at 1:05 AM, Çağlar Karahan <karahancaglar94@gmail.com> wrote:
I am using the TLS-Client-Cert-Common-Name attribute to get client certificate common name value and use it in the authorize section. While it does read the issue attributes from CA that comes with it, it ignores the client attribute. How can I get the value of a client certificate?
If it doesn't show up in the debug output, then it's not in the certificate.
Have you tried using the OpenSSL tools to look at the certificate? What's the common name there?
*Here is the debug output:*
<huge whitespace delete>
*Fri Apr 7 09:03:13 2023 : Debug: (5) EAP-Type = TLSFri Apr 7 09:03:13 2023 : Debug: (5) TLS-Client-Cert-Serial := "33ffb07c337ec3bc"Fri Apr 7 09:03:13 2023 : Debug: (5) TLS-Client-Cert-Expiration := "231109075300Z"Fri Apr 7 09:03:13 2023 : Debug: (5)
That isn't helpful.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 18/04/2023 05:59, Çağlar Karahan wrote:
While I want to use the TLS-Client-Cert-Common-Name attribute in the authorize section which is also shown in debug output. In the authorize section, the attribute returns issuer's common name instead of client's.
You are probably using 3.2.1 (your debug output is very mangled and doesn't include all the information, so this is an educated guess). Upgrade to 3.2.2. This has been fixed. -- Matthew
Hi, Thank you Matthew, you are right. It was because of version 3.2.1. Version 3.2.2 is working fine. Matthew Newton via Freeradius-Users <freeradius-users@lists.freeradius.org>, 18 Nis 2023 Sal, 11:43 tarihinde şunu yazdı:
On 18/04/2023 05:59, Çağlar Karahan wrote:
While I want to use the TLS-Client-Cert-Common-Name attribute in the authorize section which is also shown in debug output. In the authorize section, the attribute returns issuer's common name instead of client's.
You are probably using 3.2.1 (your debug output is very mangled and doesn't include all the information, so this is an educated guess).
Upgrade to 3.2.2. This has been fixed.
-- Matthew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (3)
-
Alan DeKok -
Matthew Newton -
Çağlar Karahan