How to check the Extended Key Usage in freeradius?
I'm configuring a freeradius server for authenticating Wifi clients with EAP-TLS. The solution should check certificates with EAP-TLS and everything is working fine, but checking the "extended key usage" to reply with a specific VLAN is not working as expected. So in my site config I have: if (TLS-Client-Cert-Issuer == "/DC=de/DC=xxxxx/CN=XXX Sub CA" && TLS-Client-Cert-Subject-Alt-Name-Dns =~ /\.XY\.xxxxx\.de$/){ if(TLS-Client-Cert-X509v3-Extended-Key-Usage-OID == "1.3.6.1.4.1.311.21.8.16510850.12376249.15288979.13711710.10124257.18.15380538.1") { update reply { &Tunnel-Type = 13, &Tunnel-Medium-Type = 6, &Tunnel-Private-Group-Id = "1" } } if(TLS-Client-Cert-X509v3-Extended-Key-Usage-OID == "1.3.6.1.4.1.311.21.8.16510850.12376249.15288979.13711710.10124257.18.15210945.2") { update reply { &Tunnel-Type = 13, &Tunnel-Medium-Type = 6, &Tunnel-Private-Group-Id = "2" } } } elsif (TLS-Client-Cert-Issuer == "/DC=de/DC=xxxxx/CN=XXX Sub CA" && TLS-Client-Cert-Subject-Alt-Name-Dns =~ /\.XYZ\.xxxxx\.de$/) { if(TLS-Client-Cert-X509v3-Extended-Key-Usage-OID == "1.3.6.1.4.1.311.21.8.16510850.12376249.15288979.13711710.10124257.18.16530950.3") { update reply { &Tunnel-Type = 13, &Tunnel-Medium-Type = 6, &Tunnel-Private-Group-Id = "3" } } } else { update reply { Reply-Message := "Certificate Extended-Key-Usage with wrong or missing Group." Auth-Type := Reject } reject } In the log I see that the Attribute is in the tls-cert: freeradius | (342) eap_tls: TLS-Client-Cert-Subject-Alt-Name-Dns := "user.XY.xxxxx.de" freeradius | (342) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web Client Authentication, 1.3.6.1.4.1.311.21.8.16510850.12376249.15288979.13711710.10124257.18.15210945.7" freeradius | (342) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "1.3.6.1.5.5.7.3.2" freeradius | (342) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "1.3.6.1.4.1.311.21.8.16510850.12376249.15288979.13711710.10124257.18.15210945.2" But when I scroll down, I see that the result of the if-check is false: freeradius | (343) if (TLS-Client-Cert-Issuer == "/DC=de/DC=xxxxx/CN=XXX Sub CA" && TLS-Client-Cert-Subject-Alt-Name-Dns =~ /\.XY\.xxxxx\.de$/){ freeradius | (343) if (TLS-Client-Cert-Issuer == "/DC=de/DC=xxxxx/CN=XXX Sub CA" && TLS-Client-Cert-Subject-Alt-Name-Dns =~ /\.XY\.xxxxx\.de$/) -> TRUE freeradius | (343) if (TLS-Client-Cert-Issuer == "/DC=de/DC=xxxxx/CN=XXX Sub CA" && TLS-Client-Cert-Subject-Alt-Name-Dns =~ /\.XY\.xxxxx\.de$/) { freeradius | (343) if (TLS-Client-Cert-X509v3-Extended-Key-Usage-OID == "1.3.6.1.4.1.311.21.8.16510850.12376249.15288979.13711710.10124257.18.15380538.1") { freeradius | (343) if (TLS-Client-Cert-X509v3-Extended-Key-Usage-OID == "1.3.6.1.4.1.311.21.8.16510850.12376249.15288979.13711710.10124257.18.15380538.1") -> FALSE freeradius | (343) if (TLS-Client-Cert-X509v3-Extended-Key-Usage-OID == "1.3.6.1.4.1.311.21.8.16510850.12376249.15288979.13711710.10124257.18.15210945.2") { freeradius | (343) if (TLS-Client-Cert-X509v3-Extended-Key-Usage-OID == "1.3.6.1.4.1.311.21.8.16510850.12376249.15288979.13711710.10124257.18.15210945.2") -> FALSE ### This should be TRUE ### freeradius | (343) } # if (TLS-Client-Cert-Issuer == "/DC=de/DC=xxxxx/CN=XXX Sub CA" && TLS-Client-Cert-Subject-Alt-Name-Dns =~ /\.XY\.xxxxx\.de$/) = noop TLS-Client-Cert-X509v3-Extended-Key-Usage-OID is a list, do I have to check it in a different way? Thanks in advance. Daniel
On Feb 13, 2023, at 5:08 AM, Dentzer, Daniel <Dentzer@cpa.de> wrote:
I'm configuring a freeradius server for authenticating Wifi clients with EAP-TLS. The solution should check certificates with EAP-TLS and everything is working fine, but checking the "extended key usage" to reply with a specific VLAN is not working as expected.
The debug output prints out everything it's doing. Read it carefully.
So in my site config I have:
Configuration doesn't matter.
In the log I see that the Attribute is in the tls-cert: freeradius | (342) eap_tls: TLS-Client-Cert-Subject-Alt-Name-Dns := "user.XY.xxxxx.de" freeradius | (342) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web Client Authentication, 1.3.6.1.4.1.311.21.8.16510850.12376249.15288979.13711710.10124257.18.15210945.7" freeradius | (342) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "1.3.6.1.5.5.7.3.2" freeradius | (342) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "1.3.6.1.4.1.311.21.8.16510850.12376249.15288979.13711710.10124257.18.15210945.2"
Packet 342.
But when I scroll down, I see that the result of the if-check is false: ... freeradius | (343) if (TLS-Client-Cert-X509v3-Extended-Key-Usage-OID == "1.3.6.1.4.1.311.21.8.16510850.12376249.15288979.13711710.10124257.18.15380538.1") { freeradius | (343) if (TLS-Client-Cert-X509v3-Extended-Key-Usage-OID == "1.3.6.1.4.1.311.21.8.16510850.12376249.15288979.13711710.10124257.18.15380538.1") -> FALSE
Packet 343. These are different packets, with different contents. The server saves the TLS certificate data in the session-state list. So do: if (&session-state.TLS-Client-Cert-X509v3-Extended-Key-Usage-OID == ... That should work. See also raddb/policy.d/debug. You can use the policies there to print out the contents of the various lists. i.e. debug_session_state if (&session-state.TLS-Client-Cert-X509v3-Extended-Key-Usage-OID == ... That tells you exactly what's in the list, and whether or not the "if" condition will pass. Alan DeKok.
The server saves the TLS certificate data in the session-state list. So do:
if (&session-state.TLS-Client-Cert-X509v3-Extended-Key-Usage-OID == ...
That should work.
It seems that this doesn't work for me. In the session-state is only TLS-Session-Information, TLS-Session-Cipher-Suite, TLS-Session-Version. But it seems I can work directly with TLS-Client-Cert-Issuer and TLS-Client-Cert-Subject-Alt-Name-Dns, but not with TLS-Client-Cert-X509v3-Extended-Key-Usage-OID. Is there a way to get TLS-Client-Cert-X509v3-Extended-Key-Usage-OID - in the session-state (see below ' (11) policy debug_session_state {') Or - like TLS-Client-Cert-Issuer to use it directly (see below '(11) if (TLS-Client-Cert-Issuer == "/DC=org/DC=example/CN=XY Sub CA") -> TRUE')? LOG: freeradius | (10) Received Access-Request Id 135 from 10.1.100.55:55713 to 10.0.118.207:1812 length 873 freeradius | (10) User-Name = "host/host1.XY.example.org" freeradius | (10) NAS-IP-Address = 10.1.100.55 freeradius | (10) NAS-Identifier = "6ad79a35b543" freeradius | (10) Called-Station-Id = "6A-D7-9A-35-B5-43:XY" freeradius | (10) NAS-Port-Type = Wireless-802.11 freeradius | (10) Service-Type = Framed-User freeradius | (10) Calling-Station-Id = "14-5A-FC-11-0C-55" freeradius | (10) Connect-Info = "CONNECT 0Mbps 802.11a" freeradius | (10) Acct-Session-Id = "131C98E526D732C9" freeradius | (10) Acct-Multi-Session-Id = "21DF24B695731162" freeradius | (10) WLAN-Pairwise-Cipher = 1027076 freeradius | (10) WLAN-Group-Cipher = 1027076 freeradius | (10) WLAN-AKM-Suite = 1027073 freeradius | (10) Framed-MTU = 1400 freeradius | (10) EAP-Message = 0x02f802650d008913236f1da4d0f24ae5fd76c1363e401da385917ea16dcc91b4c99e1d5fcc0ba0eb9490989acb360187643386d3bac082a8771891a9f52811bf19fa628a0ee25568a822d36324c2f27890f954ff86b657b1fc5a10319d101ab15f68f7c9911e5f2252d382360caae495439a174933a31f8e65d475d4adb7835b573f6165226fe068ccb63ccd61eaf0a74b4f3095e7294ad742444ead3c73812138f5b41438e1b47b27efb3af9de677fd78053a0a6c499327f01839fbb9e7df5a669ed1e01a86594eeb72e8dba40b4d76f6c84f4a26872039872ef2dccbbf54aa42956776100000424104b95329b6826c47555335c7092e25dfaac53b91f4220ab8fe98539c708d11dfb2f693f58df950c3d233519e8a338ebcb1aab80363b766b2bbd8bfdf01e8e12b000f0001040804010019d12737c08a55927012807b024877904354ad2eeb688f37268da26fb12d0404751cb47faad165aa1973425fe386f7f963e8d30b224f568e0eb79dc2f37fdff301124cea5c freeradius | (10) State = 0x67e882426e108fb8e89303b497b5b384 freeradius | (10) Message-Authenticator = 0x5807b7f924014bf2437feee3473554e1 freeradius | (10) Restoring &session-state freeradius | (10) &session-state:Framed-MTU = 1014 freeradius | (10) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" freeradius | (10) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" freeradius | (10) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" freeradius | (10) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" freeradius | (10) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest" freeradius | (10) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" freeradius | (10) # Executing section authorize from file /etc/raddb/sites-enabled/site freeradius | (10) authorize { freeradius | (10) policy filter_username { freeradius | (10) if (&User-Name) { freeradius | (10) if (&User-Name) -> TRUE freeradius | (10) if (&User-Name) { freeradius | (10) if (&User-Name =~ / /) { freeradius | (10) if (&User-Name =~ / /) -> FALSE freeradius | (10) if (&User-Name =~ /@[^@]*@/ ) { freeradius | (10) if (&User-Name =~ /@[^@]*@/ ) -> FALSE freeradius | (10) if (&User-Name =~ /\.\./ ) { freeradius | (10) if (&User-Name =~ /\.\./ ) -> FALSE freeradius | (10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { freeradius | (10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE freeradius | (10) if (&User-Name =~ /\.$/) { freeradius | (10) if (&User-Name =~ /\.$/) -> FALSE freeradius | (10) if (&User-Name =~ /@\./) { freeradius | (10) if (&User-Name =~ /@\./) -> FALSE freeradius | (10) } # if (&User-Name) = notfound freeradius | (10) } # policy filter_username = notfound freeradius | (10) [preprocess] = ok freeradius | (10) eap: Peer sent EAP Response (code 2) ID 248 length 613 freeradius | (10) eap: No EAP Start, assuming it's an on-going EAP conversation freeradius | (10) [eap] = updated freeradius | (10) [expiration] = noop freeradius | (10) [logintime] = noop freeradius | (10) } # authorize = updated freeradius | (10) Found Auth-Type = eap freeradius | (10) # Executing group from file /etc/raddb/sites-enabled/site freeradius | (10) authenticate { freeradius | (10) eap: Expiring EAP session with state 0x67e882426e108fb8 freeradius | (10) eap: Finished EAP session with state 0x67e882426e108fb8 freeradius | (10) eap: Previous EAP request found for state 0x67e882426e108fb8, released from the list freeradius | (10) eap: Peer sent packet with method EAP TLS (13) freeradius | (10) eap: Calling submodule eap_tls to process data freeradius | (10) eap_tls: (TLS) EAP Got final fragment (607 bytes) freeradius | (10) eap_tls: (TLS) EAP Done initial handshake freeradius | (10) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write server done freeradius | (10) eap_tls: (TLS) recv TLS 1.2 Handshake, Certificate freeradius | (10) eap_tls: (TLS) Creating attributes from TLS-Client-Cert-Serial certificate freeradius | (10) eap_tls: (TLS) Creating attributes from server certificate freeradius | (10) eap_tls: TLS-Cert-Serial := "1400000002219c173715ec84d9000000000002" freeradius | (10) eap_tls: TLS-Cert-Expiration := "20511007092213Z" freeradius | (10) eap_tls: TLS-Cert-Valid-Since := "211007115340Z" freeradius | (10) eap_tls: TLS-Cert-Subject := "/DC=org/DC=example/CN=XY Sub CA" freeradius | (10) eap_tls: TLS-Cert-Issuer := "/C=xxx/ST=xxx/L=xxx/O=xxx/CN=XY Root CA" freeradius | (10) eap_tls: TLS-Cert-Common-Name := "XY Sub CA" freeradius | (10) eap_tls: (TLS) Creating attributes from client certificate freeradius | (10) eap_tls: TLS-Client-Cert-Serial := "16000028666eef874492e150cd000000002866" freeradius | (10) eap_tls: TLS-Client-Cert-Expiration := "240209105026Z" freeradius | (10) eap_tls: TLS-Client-Cert-Valid-Since := "230209105026Z" freeradius | (10) eap_tls: TLS-Client-Cert-Issuer := "/DC=org/DC=example/CN=XY Sub CA" freeradius | (10) eap_tls: TLS-Client-Cert-Subject-Alt-Name-Dns := "host1.XY.example.org" freeradius | (10) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web Client Authentication, 1.3.6.1.4.1.311.21.8.16510850.12376249.15288979.13711710.10124257.18.15210945.7" freeradius | (10) eap_tls: TLS-Client-Cert-X509v3-Subject-Key-Identifier += "29:AC:A7:3F:AD:4D:C1:29:E6:1D:0B:42:B5:69:2B:0C:B2:1E:EB:16" freeradius | (10) eap_tls: TLS-Client-Cert-X509v3-Authority-Key-Identifier += "keyid:C0:24:69:05:3E:2C:E0:26:AD:85:D9:9E:9D:16:B2:E8:4C:62:81:EC\n" freeradius | (10) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "1.3.6.1.5.5.7.3.2" freeradius | (10) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "1.3.6.1.4.1.311.21.8.16510850.12376249.15288979.13711710.10124257.18.15210945.7878633" freeradius | Certificate chain - 1 cert(s) untrusted freeradius | (TLS) untrusted certificate with depth [1] subject name /DC=org/DC=example/CN=XY Sub CA freeradius | (TLS) untrusted certificate with depth [0] subject name freeradius | (10) eap_tls: Verifying client certificate: /usr/bin/openssl verify -crl_check -CAfile /etc/raddb/certs/ca.crt %{TLS-Client-Cert-Filename} freeradius | (10) eap_tls: Executing: /usr/bin/openssl verify -crl_check -CAfile /etc/raddb/certs/ca.crt %{TLS-Client-Cert-Filename}: freeradius | (10) eap_tls: EXPAND %{TLS-Client-Cert-Filename} freeradius | (10) eap_tls: --> /tmp/radiusd/radiusd.client.XXXCiG1h freeradius | (10) eap_tls: Program returned code (0) and output '/tmp/radiusd/radiusd.client.XXXCiG1h: OK' freeradius | (10) eap_tls: Client certificate CN xy Sub CA passed external validation freeradius | (10) eap_tls: (TLS) Handshake state - Server SSLv3/TLS read client certificate freeradius | (10) eap_tls: (TLS) recv TLS 1.2 Handshake, ClientKeyExchange freeradius | (10) eap_tls: (TLS) Handshake state - Server SSLv3/TLS read client key exchange freeradius | (10) eap_tls: (TLS) recv TLS 1.2 Handshake, CertificateVerify freeradius | (10) eap_tls: (TLS) Handshake state - Server SSLv3/TLS read certificate verify freeradius | (10) eap_tls: (TLS) Handshake state - Server SSLv3/TLS read change cipher spec freeradius | (10) eap_tls: (TLS) recv TLS 1.2 Handshake, Finished freeradius | (10) eap_tls: (TLS) Handshake state - Server SSLv3/TLS read finished freeradius | (10) eap_tls: (TLS) send TLS 1.2 ChangeCipherSpec freeradius | (10) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write change cipher spec freeradius | (10) eap_tls: (TLS) send TLS 1.2 Handshake, Finished freeradius | (10) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write finished freeradius | (10) eap_tls: (TLS) Handshake state - SSL negotiation finished successfully freeradius | (10) eap_tls: (TLS) Connection Established freeradius | (10) eap_tls: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" freeradius | (10) eap_tls: TLS-Session-Version = "TLS 1.2" freeradius | (10) eap: Sending EAP Request (code 1) ID 249 length 61 freeradius | (10) eap: EAP session adding &reply:State = 0x67e882426d118fb8 freeradius | (10) [eap] = handled freeradius | (10) } # authenticate = handled freeradius | (10) Using Post-Auth-Type Challenge freeradius | (10) # Executing group from file /etc/raddb/sites-enabled/site freeradius | (10) Challenge { ... } # empty sub-section is ignored freeradius | (10) session-state: Saving cached attributes freeradius | (10) Framed-MTU = 1014 freeradius | (10) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" freeradius | (10) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" freeradius | (10) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" freeradius | (10) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" freeradius | (10) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest" freeradius | (10) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" freeradius | (10) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Certificate" freeradius | (10) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange" freeradius | (10) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, CertificateVerify" freeradius | (10) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished" freeradius | (10) TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec" freeradius | (10) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished" freeradius | (10) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" freeradius | (10) TLS-Session-Version = "TLS 1.2" freeradius | (10) Sent Access-Challenge Id 135 from 10.0.118.207:1812 to 10.1.100.55:55713 length 119 freeradius | (10) EAP-Message = 0x01f9003d0d80000000331403030001011603030028964829c4b1eb2ba97048870d089503fa0d8020f067c7635c0ab47309d02855de782de2d54f0a70f2 freeradius | (10) Message-Authenticator = 0x00000000000000000000000000000000 freeradius | (10) State = 0x67e882426d118fb8e89303b497b5b384 freeradius | (10) Finished request freeradius | Waking up in 4.8 seconds. freeradius | (11) Received Access-Request Id 136 from 10.1.100.55:55713 to 10.0.118.207:1812 length 262 freeradius | (11) User-Name = "host/host1.XY.example.org" freeradius | (11) NAS-IP-Address = 10.1.100.55 freeradius | (11) NAS-Identifier = "6ad79a35b543" freeradius | (11) Called-Station-Id = "6A-D7-9A-35-B5-43:XY" freeradius | (11) NAS-Port-Type = Wireless-802.11 freeradius | (11) Service-Type = Framed-User freeradius | (11) Calling-Station-Id = "14-5A-FC-11-0C-55" freeradius | (11) Connect-Info = "CONNECT 0Mbps 802.11a" freeradius | (11) Acct-Session-Id = "131C98E526D732C9" freeradius | (11) Acct-Multi-Session-Id = "21DF24B695731162" freeradius | (11) WLAN-Pairwise-Cipher = 1027076 freeradius | (11) WLAN-Group-Cipher = 1027076 freeradius | (11) WLAN-AKM-Suite = 1027073 freeradius | (11) Framed-MTU = 1400 freeradius | (11) EAP-Message = 0x02f900060d00 freeradius | (11) State = 0x67e882426d118fb8e89303b497b5b384 freeradius | (11) Message-Authenticator = 0xa02414c00b4d2d854c32acaf0176ac3d freeradius | (11) Restoring &session-state freeradius | (11) &session-state:Framed-MTU = 1014 freeradius | (11) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" freeradius | (11) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" freeradius | (11) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" freeradius | (11) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" freeradius | (11) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest" freeradius | (11) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" freeradius | (11) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Certificate" freeradius | (11) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange" freeradius | (11) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, CertificateVerify" freeradius | (11) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished" freeradius | (11) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec" freeradius | (11) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished" freeradius | (11) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" freeradius | (11) &session-state:TLS-Session-Version = "TLS 1.2" freeradius | (11) # Executing section authorize from file /etc/raddb/sites-enabled/site freeradius | (11) authorize { freeradius | (11) policy filter_username { freeradius | (11) if (&User-Name) { freeradius | (11) if (&User-Name) -> TRUE freeradius | (11) if (&User-Name) { freeradius | (11) if (&User-Name =~ / /) { freeradius | (11) if (&User-Name =~ / /) -> FALSE freeradius | (11) if (&User-Name =~ /@[^@]*@/ ) { freeradius | (11) if (&User-Name =~ /@[^@]*@/ ) -> FALSE freeradius | (11) if (&User-Name =~ /\.\./ ) { freeradius | (11) if (&User-Name =~ /\.\./ ) -> FALSE freeradius | (11) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { freeradius | (11) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE freeradius | (11) if (&User-Name =~ /\.$/) { freeradius | (11) if (&User-Name =~ /\.$/) -> FALSE freeradius | (11) if (&User-Name =~ /@\./) { freeradius | (11) if (&User-Name =~ /@\./) -> FALSE freeradius | (11) } # if (&User-Name) = notfound freeradius | (11) } # policy filter_username = notfound freeradius | (11) [preprocess] = ok freeradius | (11) eap: Peer sent EAP Response (code 2) ID 249 length 6 freeradius | (11) eap: No EAP Start, assuming it's an on-going EAP conversation freeradius | (11) [eap] = updated freeradius | (11) [expiration] = noop freeradius | (11) [logintime] = noop freeradius | (11) } # authorize = updated freeradius | (11) Found Auth-Type = eap freeradius | (11) # Executing group from file /etc/raddb/sites-enabled/site freeradius | (11) authenticate { freeradius | (11) eap: Expiring EAP session with state 0x67e882426d118fb8 freeradius | (11) eap: Finished EAP session with state 0x67e882426d118fb8 freeradius | (11) eap: Previous EAP request found for state 0x67e882426d118fb8, released from the list freeradius | (11) eap: Peer sent packet with method EAP TLS (13) freeradius | (11) eap: Calling submodule eap_tls to process data freeradius | (11) eap_tls: (TLS) Peer ACKed our handshake fragment. handshake is finished freeradius | (11) eap: Sending EAP Success (code 3) ID 249 length 4 freeradius | (11) eap: Freeing handler freeradius | (11) [eap] = ok freeradius | (11) } # authenticate = ok freeradius | (11) # Executing section post-auth from file /etc/raddb/sites-enabled/site freeradius | (11) post-auth { freeradius | (11) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) { freeradius | (11) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) -> FALSE freeradius | (11) update { freeradius | (11) &reply::Framed-MTU += &session-state:Framed-MTU[*] -> 1014 freeradius | (11) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) recv TLS 1.3 Handshake, ClientHello' freeradius | (11) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake, ServerHello' freeradius | (11) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake, Certificate' freeradius | (11) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake, ServerKeyExchange' freeradius | (11) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake, CertificateRequest' freeradius | (11) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake, ServerHelloDone' freeradius | (11) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) recv TLS 1.2 Handshake, Certificate' freeradius | (11) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) recv TLS 1.2 Handshake, ClientKeyExchange' freeradius | (11) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) recv TLS 1.2 Handshake, CertificateVerify' freeradius | (11) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) recv TLS 1.2 Handshake, Finished' freeradius | (11) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 ChangeCipherSpec' freeradius | (11) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake, Finished' freeradius | (11) &reply::TLS-Session-Cipher-Suite += &session-state:TLS-Session-Cipher-Suite[*] -> 'ECDHE-RSA-AES256-GCM-SHA384' freeradius | (11) &reply::TLS-Session-Version += &session-state:TLS-Session-Version[*] -> 'TLS 1.2' freeradius | (11) } # update = noop freeradius | (11) [exec] = noop freeradius | (11) update reply { freeradius | (11) EXPAND %{TLS-Cert-Serial} freeradius | (11) --> 1400000002219c173715ec84d9000000000002 freeradius | (11) Reply-Message += 1400000002219c173715ec84d9000000000002 freeradius | (11) EXPAND %{TLS-Cert-Expiration} freeradius | (11) --> 20511007092213Z freeradius | (11) Reply-Message += 20511007092213Z freeradius | (11) EXPAND %{TLS-Cert-Subject} freeradius | (11) --> /DC=org/DC=example/CN=XY Sub CA freeradius | (11) Reply-Message += /DC=org/DC=example/CN=XY Sub CA freeradius | (11) EXPAND %{TLS-Cert-Issuer} freeradius | (11) --> /C=xxx/ST=xxx/L=xxx/O=xxx/CN=xxx Root CA freeXYius | (11) Reply-Message += /C=xxx/ST=xXYL=xxx/O=xxx/CXYxx Root CA freeradius | (11) EXPAND %{TLS-Cert-CXYon-Name} freeradius | (11) --> xy Sub CA freeradius | (11) Reply-Message += xy Sub CA freeradius | (11) EXPAND %{TLS-Cert-Subject-Alt-Name-Dns} freeradius | (11) --> freeradius | (11) Reply-Message += freeradius | (11) EXPAND %{TLS-Client-Cert-Serial} freeradius | (11) --> 16000028666eef874492e150cd000000002866 freeradius | (11) Reply-Message += 16000028666eef874492e150cd000000002866 freeradius | (11) EXPAND %{TLS-Client-Cert-Expiration} freeradius | (11) --> 240209105026Z freeradius | (11) Reply-Message += 240209105026Z freeradius | (11) EXPAND %{TLS-Client-Cert-Subject} freeradius | (11) --> freeradius | (11) Reply-Message += freeradius | (11) EXPAND %{TLS-Client-Cert-Issuer} freeradius | (11) --> /DC=org/DC=example/CN=XY Sub CA freeradius | (11) Reply-Message += /DC=org/DC=example/CN=XY Sub CA freeradius | (11) EXPAND %{TLS-Client-Cert-Common-Name} freeradius | (11) --> freeradius | (11) Reply-Message += freeradius | (11) EXPAND %{TLS-Client-Cert-Subject-Alt-Name-Dns} freeradius | (11) --> host1.XY.example.org freeradius | (11) Reply-Message += host1.XY.example.org freeradius | (11) } # update reply = noop freeradius | (11) policy remove_reply_message_if_eap { freeradius | (11) if (&reply:EAP-Message && &reply:Reply-Message) { freeradius | (11) if (&reply:EAP-Message && &reply:Reply-Message) -> TRUE freeradius | (11) if (&reply:EAP-Message && &reply:Reply-Message) { freeradius | (11) update reply { freeradius | (11) &Reply-Message !* ANY freeradius | (11) } # update reply = noop freeradius | (11) } # if (&reply:EAP-Message && &reply:Reply-Message) = noop freeradius | (11) ... skipping else: Preceding "if" was taken freeradius | (11) } # policy remove_reply_message_if_eap = noop freeradius | (11) if (EAP-Key-Name && &reply:EAP-Session-Id) { freeradius | (11) if (EAP-Key-Name && &reply:EAP-Session-Id) -> FALSE freeradius | (11) policy debug_session_state { freeradius | (11) if ("%{debug_attr:session-state:}" == '') { freeradius | (11) Attributes matching "session-state:" freeradius | (11) &session-state:Framed-MTU = 1014 freeradius | (11) &session-state:TLS-Session-Information = (TLS) recv TLS 1.3 Handshake, ClientHello freeradius | (11) &session-state:TLS-Session-Information = (TLS) send TLS 1.2 Handshake, ServerHello freeradius | (11) &session-state:TLS-Session-Information = (TLS) send TLS 1.2 Handshake, Certificate freeradius | (11) &session-state:TLS-Session-Information = (TLS) send TLS 1.2 Handshake, ServerKeyExchange freeradius | (11) &session-state:TLS-Session-Information = (TLS) send TLS 1.2 Handshake, CertificateRequest freeradius | (11) &session-state:TLS-Session-Information = (TLS) send TLS 1.2 Handshake, ServerHelloDone freeradius | (11) &session-state:TLS-Session-Information = (TLS) recv TLS 1.2 Handshake, Certificate freeradius | (11) &session-state:TLS-Session-Information = (TLS) recv TLS 1.2 Handshake, ClientKeyExchange freeradius | (11) &session-state:TLS-Session-Information = (TLS) recv TLS 1.2 Handshake, CertificateVerify freeradius | (11) &session-state:TLS-Session-Information = (TLS) recv TLS 1.2 Handshake, Finished freeradius | (11) &session-state:TLS-Session-Information = (TLS) send TLS 1.2 ChangeCipherSpec freeradius | (11) &session-state:TLS-Session-Information = (TLS) send TLS 1.2 Handshake, Finished freeradius | (11) &session-state:TLS-Session-Cipher-Suite = ECDHE-RSA-AES256-GCM-SHA384 freeradius | (11) &session-state:TLS-Session-Version = TLS 1.2 freeradius | (11) EXPAND %{debug_attr:session-state:} freeradius | (11) --> freeradius | (11) if ("%{debug_attr:session-state:}" == '') -> TRUE freeradius | (11) if ("%{debug_attr:session-state:}" == '') { freeradius | (11) [noop] = noop freeradius | (11) } # if ("%{debug_attr:session-state:}" == '') = noop freeradius | (11) } # policy debug_session_state = noop freeradius | (11) if (TLS-Client-Cert-Issuer == "/DC=org/DC=example/CN=XY Sub CA"){ freeradius | (11) if (TLS-Client-Cert-Issuer == "/DC=org/DC=example/CN=XY Sub CA") -> TRUE freeradius | (11) if (TLS-Client-Cert-Issuer == "/DC=org/DC=example/CN=XY Sub CA") { freeradius | (11) if (TLS-Client-Cert-Subject-Alt-Name-Dns =~ /\.xy\.example\.org$/i){ freeradius | (11) if (TLS-Client-Cert-Subject-Alt-Name-Dns =~ /\.xy\.example\.org$/i) -> TRUE freeradius | (11) if (TLS-Client-Cert-Subject-Alt-Name-Dns =~ /\.xy\.example\.org$/i) { freeradius | (11) if (TLS-Client-Cert-X509v3-Extended-Key-Usage-OID == "1.3.6.1.4.1.311.21.8.16510850.12376249.15288979.13711710.10124257.18.15380538.1028721") { freeradius | (11) if (TLS-Client-Cert-X509v3-Extended-Key-Usage-OID == "1.3.6.1.4.1.311.21.8.16510850.12376249.15288979.13711710.10124257.18.15380538.1028721") -> FALSE freeradius | (11) elsif (TLS-Client-Cert-X509v3-Extended-Key-Usage-OID == "1.3.6.1.4.1.311.21.8.16510850.12376249.15288979.13711710.10124257.18.15210945.7878633") { freeradius | (11) elsif (TLS-Client-Cert-X509v3-Extended-Key-Usage-OID == "1.3.6.1.4.1.311.21.8.16510850.12376249.15288979.13711710.10124257.18.15210945.7878633") -> FALSE freeradius | (11) else { freeradius | (11) update reply { freeradius | (11) Reply-Message := "Certificate Extended-Key-Usage with wrong or missing Group." freeradius | (11) Auth-Type := Reject freeradius | (11) } # update reply = noop freeradius | (11) [reject] = reject freeradius | (11) } # else = reject freeradius | (11) } # if (TLS-Client-Cert-Subject-Alt-Name-Dns =~ /\.xy\.example\.org$/i) = reject freeradius | (11) } # if (TLS-Client-Cert-Issuer == "/DC=org/DC=example/CN=XY Sub CA") = reject freeradius | (11) } # post-auth = reject freeradius | (11) Using Post-Auth-Type Reject freeradius | (11) # Executing group from file /etc/raddb/sites-enabled/site freeradius | (11) Post-Auth-Type REJECT { freeradius | (11) attr_filter.access_reject: EXPAND %{User-Name} freeradius | (11) attr_filter.access_reject: --> host/host1.XY.example.org freeradius | (11) attr_filter.access_reject: Matched entry DEFAULT at line 11 freeradius | (11) [attr_filter.access_reject] = updated freeradius | (11) [eap] = noop freeradius | (11) policy remove_reply_message_if_eap { freeradius | (11) if (&reply:EAP-Message && &reply:Reply-Message) { freeradius | (11) if (&reply:EAP-Message && &reply:Reply-Message) -> TRUE freeradius | (11) if (&reply:EAP-Message && &reply:Reply-Message) { freeradius | (11) update reply { freeradius | (11) &Reply-Message !* ANY freeradius | (11) } # update reply = noop freeradius | (11) } # if (&reply:EAP-Message && &reply:Reply-Message) = noop freeradius | (11) ... skipping else: Preceding "if" was taken freeradius | (11) } # policy remove_reply_message_if_eap = noop freeradius | (11) } # Post-Auth-Type REJECT = updated freeradius | (11) Delaying response for 1.000000 seconds freeradius | Waking up in 0.3 seconds. freeradius | Waking up in 0.6 seconds. freeradius | (11) Sending delayed response freeradius | (11) Sent Access-Reject Id 136 from 10.0.118.207:1812 to 10.1.100.55:55713 length 44 freeradius | (11) EAP-Message = 0x03f90004 freeradius | (11) Message-Authenticator = 0x00000000000000000000000000000000
On Feb 27, 2023, at 4:18 AM, Dentzer, Daniel <Dentzer@cpa.de> wrote:
It seems that this doesn't work for me.
Read the debug log. If there's an extended key usage OID, it will show up as TLS-Client-Cert-X509v3-Extended-Key-Usage-OID. If there's no extended key usage OID, them it won't show up.
In the session-state is only TLS-Session-Information, TLS-Session-Cipher-Suite, TLS-Session-Version. But it seems I can work directly with TLS-Client-Cert-Issuer and TLS-Client-Cert-Subject-Alt-Name-Dns, but not with TLS-Client-Cert-X509v3-Extended-Key-Usage-OID.
Does it exist? Does it show up in the debug log? The debug log shows every TLS related attribute it creates.
Is there a way to get TLS-Client-Cert-X509v3-Extended-Key-Usage-OID - in the session-state
Does it exist?
(see below ' (11) policy debug_session_state {') Or - like TLS-Client-Cert-Issuer to use it directly
Does TLS-Client-Cert-Issuer exist?
... freeradius | (10) eap_tls: (TLS) Creating attributes from server certificate freeradius | (10) eap_tls: TLS-Cert-Serial := "1400000002219c173715ec84d9000000000002" freeradius | (10) eap_tls: TLS-Cert-Expiration := "20511007092213Z" freeradius | (10) eap_tls: TLS-Cert-Valid-Since := "211007115340Z" freeradius | (10) eap_tls: TLS-Cert-Subject := "/DC=org/DC=example/CN=XY Sub CA" freeradius | (10) eap_tls: TLS-Cert-Issuer := "/C=xxx/ST=xxx/L=xxx/O=xxx/CN=XY Root CA" freeradius | (10) eap_tls: TLS-Cert-Common-Name := "XY Sub CA" freeradius | (10) eap_tls: (TLS) Creating attributes from client certificate freeradius | (10) eap_tls: TLS-Client-Cert-Serial := "16000028666eef874492e150cd000000002866" freeradius | (10) eap_tls: TLS-Client-Cert-Expiration := "240209105026Z" freeradius | (10) eap_tls: TLS-Client-Cert-Valid-Since := "230209105026Z" freeradius | (10) eap_tls: TLS-Client-Cert-Issuer := "/DC=org/DC=example/CN=XY Sub CA" freeradius | (10) eap_tls: TLS-Client-Cert-Subject-Alt-Name-Dns := "host1.XY.example.org" freeradius | (10) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web Client Authentication, 1.3.6.1.4.1.311.21.8.16510850.12376249.15288979.13711710.10124257.18.15210945.7" freeradius | (10) eap_tls: TLS-Client-Cert-X509v3-Subject-Key-Identifier += "29:AC:A7:3F:AD:4D:C1:29:E6:1D:0B:42:B5:69:2B:0C:B2:1E:EB:16" freeradius | (10) eap_tls: TLS-Client-Cert-X509v3-Authority-Key-Identifier += "keyid:C0:24:69:05:3E:2C:E0:26:AD:85:D9:9E:9D:16:B2:E8:4C:62:81:EC\n" freeradius | (10) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "1.3.6.1.5.5.7.3.2" freeradius | (10) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "1.3.6.1.4.1.311.21.8.16510850.12376249.15288979.13711710.10124257.18.15210945.7878633"
OK, that's good. For the initial creation, those attributes are in the request. For subsequent packets, they should be in the session-state list.
... freeradius | (11) Restoring &session-state freeradius | (11) &session-state:Framed-MTU = 1014 freeradius | (11) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" freeradius | (11) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" freeradius | (11) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" freeradius | (11) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" freeradius | (11) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest" freeradius | (11) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" freeradius | (11) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Certificate" freeradius | (11) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange" freeradius | (11) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, CertificateVerify" freeradius | (11) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished" freeradius | (11) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec" freeradius | (11) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished" freeradius | (11) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" freeradius | (11) &session-state:TLS-Session-Version = "TLS 1.2"
Hmm... you can always copy the attributes to the session-state list, where they will automatically be stored and restored. I'll have to check what's going on behind the scenes. It's been a while since I used v3 like this. Alan DeKok.
OK, for all interested, I solved it this way: In post-auth-section: if (TLS-Client-Cert-X509v3-Extended-Key-Usage-OID) { foreach &TLS-Client-Cert-X509v3-Extended-Key-Usage-OID { update session-state { &TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "%{Foreach-Variable-0}" } } } And for the check something like: if(&session-state:TLS-Client-Cert-X509v3-Extended-Key-Usage-OID[*] == "1.3.6.1.4.1....."){ ... } This way I can use different types of certificates (automatically distributed by a windows CA depending on AD-groups) for different groups of computers. We're able to authenticate the computers (actually only wifi) and assign VLANs depending on AD-Groups. Mit freundlichen Grüßen Daniel Dentzer -----Original Message----- From: Freeradius-Users <freeradius-users-bounces+dentzer=cpa.de@lists.freeradius.org> On Behalf Of Alan DeKok Sent: Montag, 27. Februar 2023 19:34 To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: How to check the Extended Key Usage in freeradius? On Feb 27, 2023, at 4:18 AM, Dentzer, Daniel <Dentzer@cpa.de> wrote:
It seems that this doesn't work for me.
Read the debug log. If there's an extended key usage OID, it will show up as TLS-Client-Cert-X509v3-Extended-Key-Usage-OID. If there's no extended key usage OID, them it won't show up.
In the session-state is only TLS-Session-Information, TLS-Session-Cipher-Suite, TLS-Session-Version. But it seems I can work directly with TLS-Client-Cert-Issuer and TLS-Client-Cert-Subject-Alt-Name-Dns, but not with TLS-Client-Cert-X509v3-Extended-Key-Usage-OID.
Does it exist? Does it show up in the debug log? The debug log shows every TLS related attribute it creates.
Is there a way to get TLS-Client-Cert-X509v3-Extended-Key-Usage-OID - in the session-state
Does it exist?
(see below ' (11) policy debug_session_state {') Or - like TLS-Client-Cert-Issuer to use it directly
Does TLS-Client-Cert-Issuer exist?
... freeradius | (10) eap_tls: (TLS) Creating attributes from server certificate freeradius | (10) eap_tls: TLS-Cert-Serial := "1400000002219c173715ec84d9000000000002" freeradius | (10) eap_tls: TLS-Cert-Expiration := "20511007092213Z" freeradius | (10) eap_tls: TLS-Cert-Valid-Since := "211007115340Z" freeradius | (10) eap_tls: TLS-Cert-Subject := "/DC=org/DC=example/CN=XY Sub CA" freeradius | (10) eap_tls: TLS-Cert-Issuer := "/C=xxx/ST=xxx/L=xxx/O=xxx/CN=XY Root CA" freeradius | (10) eap_tls: TLS-Cert-Common-Name := "XY Sub CA" freeradius | (10) eap_tls: (TLS) Creating attributes from client certificate freeradius | (10) eap_tls: TLS-Client-Cert-Serial := "16000028666eef874492e150cd000000002866" freeradius | (10) eap_tls: TLS-Client-Cert-Expiration := "240209105026Z" freeradius | (10) eap_tls: TLS-Client-Cert-Valid-Since := "230209105026Z" freeradius | (10) eap_tls: TLS-Client-Cert-Issuer := "/DC=org/DC=example/CN=XY Sub CA" freeradius | (10) eap_tls: TLS-Client-Cert-Subject-Alt-Name-Dns := "host1.XY.example.org" freeradius | (10) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web Client Authentication, 1.3.6.1.4.1.311.21.8.16510850.12376249.15288979.13711710.10124257.18.15210945.7" freeradius | (10) eap_tls: TLS-Client-Cert-X509v3-Subject-Key-Identifier += "29:AC:A7:3F:AD:4D:C1:29:E6:1D:0B:42:B5:69:2B:0C:B2:1E:EB:16" freeradius | (10) eap_tls: TLS-Client-Cert-X509v3-Authority-Key-Identifier += "keyid:C0:24:69:05:3E:2C:E0:26:AD:85:D9:9E:9D:16:B2:E8:4C:62:81:EC\n" freeradius | (10) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "1.3.6.1.5.5.7.3.2" freeradius | (10) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "1.3.6.1.4.1.311.21.8.16510850.12376249.15288979.13711710.10124257.18.15210945.7878633"
OK, that's good. For the initial creation, those attributes are in the request. For subsequent packets, they should be in the session-state list.
... freeradius | (11) Restoring &session-state freeradius | (11) &session-state:Framed-MTU = 1014 freeradius | (11) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" freeradius | (11) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" freeradius | (11) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" freeradius | (11) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" freeradius | (11) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest" freeradius | (11) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" freeradius | (11) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Certificate" freeradius | (11) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange" freeradius | (11) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, CertificateVerify" freeradius | (11) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished" freeradius | (11) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec" freeradius | (11) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished" freeradius | (11) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" freeradius | (11) &session-state:TLS-Session-Version = "TLS 1.2"
Hmm... you can always copy the attributes to the session-state list, where they will automatically be stored and restored. I'll have to check what's going on behind the scenes. It's been a while since I used v3 like this. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
Alan DeKok -
Dentzer, Daniel