Certificate information
Hi all, Using FR v3.1.0. I was wondering if there is any way I could read a TLS client certificate field (probably MS specific) called "Certificate Template Information". We have an M$ CA (for now), and one of the strings within this field contains the name of the certificate template, which I want to check, to make sure that people aren't making up their own cert templates and randomly giving wireless access to people in the wrong way (I have good reason). A less satisfactory way of doing this would be by checking the EKUs matched the template I was using, as the other templates I've found don't have quite the same makeup there. I tried all the specific dictionary TLS-* , including the seemingly EKU specific one, and they are largely empty. I also can't base it on OU structure as some certs are based on device names and some on AD users. I would like to do this via the named Template Information field if possible, since this also contains other useful stuff. I presume I can't do what I'm trying to achieve? The obvious thing would be to stop other people issuing certs, but I may as well learn to code C properly and rewrite the module, it would be easier :-) EXPAND %{TLS-Cert-Subject-Alt-Name-Email} (7) --> (7) Reply-Message += "" (7) EXPAND %{TLS-Cert-Subject-Alt-Name-Dns} (7) --> (7) Reply-Message += "" (7) EXPAND %{TLS-Cert-Subject-Alt-Name-Upn} (7) --> (7) Reply-Message += "" (7) EXPAND %{TLS-Client-Cert-Filename} (7) --> (7) Reply-Message += "" (7) EXPAND %{TLS-Client-Cert-Subject-Alt-Name-Email} (7) --> (7) Reply-Message += "" (7) EXPAND %{TLS-Client-Cert-X509v3-Extended-Key-Usage} (7) --> (7) Reply-Message += "" (7) EXPAND %{TLS-Client-Cert-X509v3-Subject-Key-Identifier} (7) --> (7) Reply-Message += "" (7) EXPAND %{TLS-Client-Cert-X509v3-Authority-Key-Identifier} (7) --> (7) Reply-Message += "" (7) EXPAND %{TLS-Client-Cert-X509v3-Basic-Constraints} (7) --> (7) Reply-Message += "" (7) EXPAND %{TLS-Client-Cert-Subject-Alt-Name-Dns} (7) --> (7) Reply-Message += "" Thanks very much Andy.
Hi,
I tried all the specific dictionary TLS-* , including the seemingly EKU specific one, and they are largely empty. I also can't base it on OU structure as some certs are based on device names and some on AD users.
docs. read the docs. find the extetnsion number.... then look at the FR end...define dictionary entry then see what pops out in debug mode: http://support.microsoft.com/en-us/kb/287547 1.3.6.1.4.1.311.21.7 seems to be the one you want alan
On Mar 30, 2015, at 5:31 AM, Franks Andy (IT Technical Architecture Manager) <Andy.Franks@sath.nhs.uk> wrote:
Using FR v3.1.0.
There is no version 3.1.0. I suggest using a released version.
I was wondering if there is any way I could read a TLS client certificate field (probably MS specific) called "Certificate Template Information”.
No. The examples in sites-enabled/default describe which TLS fields are available. If the field isn’t listed, it’s not available.
We have an M$ CA (for now), and one of the strings within this field contains the name of the certificate template, which I want to check, to make sure that people aren't making up their own cert templates and randomly giving wireless access to people in the wrong way (I have good reason).
Except all of that information is publicly available. You’re not really adding any security here.
I presume I can't do what I'm trying to achieve? The obvious thing would be to stop other people issuing certs, but I may as well learn to code C properly and rewrite the module, it would be easier :-)
No. You should use a good CA design. It’s not really clear what you’re doing or why. Perhaps talking about the *problem* could help. Right now, you’re asking why a particular solution doesn’t work. Well, if you’re not clear on the problem or on FreeRADIUS, the solution is likely to be wrong. Alan DeKok.
Franks Andy (IT Technical Architecture Manager) wrote:
I was wondering if there is any way I could read a TLS client certificate field (probably MS specific) called "Certificate Template Information". We have an M$ CA (for now), and one of the strings within this field contains the name of the certificate template, which I want to check, to make sure that people aren't making up their own cert templates and randomly giving wireless access to people in the wrong way (I have good reason).
I think your idea is the completely wrong approach for the problem. Make sure you have your PKI under your control => ensure that "people" cannot make up their own cert templates. Ciao, Michael.
participants (4)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Franks Andy (IT Technical Architecture Manager) -
Michael Ströder