EAP-TLS: restricting CA certificate use to a subset of identities
Whein using EAP-TLS, is there any sane way of restricting the use of a CA Certificate to a subset of the possible identities? I.e., is it possible to configure a single FreeRADIUS 2 server to accept users @foo.my.domain only if their Certificates are signed with CA-Cert.foo and users @bar.my.domain only if theirs are signed with CA-Cert.bar? It looks a bit tough because (if I got it right) eap.conf doesn't use unlang and no information whatsoever from the CA Certificate used for verification is available as an attribute. Alternatively, is it possible to log the name of the CA certificate on successful login? So that even if the logged user identity is user@foo.my.domain the log shows that the user cert was actually issued by bar.my.domain. Thanks for any hints.
Edgar Fuß wrote:
Whein using EAP-TLS, is there any sane way of restricting the use of a CA Certificate to a subset of the possible identities? I.e., is it possible to configure a single FreeRADIUS 2 server to accept users @foo.my.domain only if their Certificates are signed with CA-Cert.foo and users @bar.my.domain only if theirs are signed with CA-Cert.bar?
Not really. You can configure 2 EAP modules, and have requests for different domains be handled by different modules. Alan DeKok.
You can configure 2 EAP modules Ah, thanks. That looks a lot less insane than two RADIUS servers.
and have requests for different domains be handled by different modules. But how do I direct certain users to an instance of the eap module? Inside the eap module, I have check_cert_cn, but I would need to check the User-Name attribute against a fixed pattern. It's probably easy, but I'm no FreeRADIUS expert.
Edgar Fuß wrote:
and have requests for different domains be handled by different modules. But how do I direct certain users to an instance of the eap module?
$ man unlang authorize { ... if (User-Name =~ /domain.com$/) { eap1 } else { eap2 } ... {
Inside the eap module, I have check_cert_cn, but I would need to check the User-Name attribute against a fixed pattern.
Yes... that can be done by checking the User-Name via a regex. Alan DeKok.
participants (2)
-
Alan DeKok -
Edgar Fuß