Hi all, I need to be clearer on this obviously. We have a situation where one or two senior engineers are changing infrastructure and not being open about it, they do not want to do the "teamwork" thing and I politically cannot force them to do so since they operate at the same level as me, hence me trying to check the certificate presented to see if it fell into the "acceptable" template created at the project start. It's not ideal, but the technology route will be quicker route to resolution. Politics! End users cannot create certificates. I'll re-read the docs, but the sites-enabled/default seems to be the main place where the TLS-* attributes are mentioned. Not sure about the 3.1.0 thing - my version says: freeradius: FreeRADIUS Version 3.1.0 (git #1411859), for host x86_64-unknown-linux-gnu, built on Aug 5 2014 at 17:42:11 Copyright (C) 1999-2014 The FreeRADIUS server project and contributors ? Thanks as always Andy -----Original Message----- From: Freeradius-Users [mailto:freeradius-users-bounces+andy.franks=sath.nhs.uk@lists.freeradius.org] On Behalf Of Michael Ströder Sent: 30 March 2015 14:14 To: FreeRadius users mailing list Subject: Re: Certificate information Franks Andy (IT Technical Architecture Manager) wrote:
I was wondering if there is any way I could read a TLS client certificate field (probably MS specific) called "Certificate Template Information". We have an M$ CA (for now), and one of the strings within this field contains the name of the certificate template, which I want to check, to make sure that people aren't making up their own cert templates and randomly giving wireless access to people in the wrong way (I have good reason).
I think your idea is the completely wrong approach for the problem. Make sure you have your PKI under your control => ensure that "people" cannot make up their own cert templates. Ciao, Michael.
On Mar 30, 2015, at 11:28 AM, Franks Andy (IT Technical Architecture Manager) <Andy.Franks@sath.nhs.uk> wrote:
I need to be clearer on this obviously. We have a situation where one or two senior engineers are changing infrastructure and not being open about it, they do not want to do the "teamwork" thing and I politically cannot force them to do so since they operate at the same level as me, hence me trying to check the certificate presented to see if it fell into the "acceptable" template created at the project start. It's not ideal, but the technology route will be quicker route to resolution. Politics! End users cannot create certificates.
It's weird, but if you don't want to use a CA...
I'll re-read the docs, but the sites-enabled/default seems to be the main place where the TLS-* attributes are mentioned.
They're in the default configuration. Maybe someone deleted them.
Not sure about the 3.1.0 thing - my version says: freeradius: FreeRADIUS Version 3.1.0 (git #1411859), for host x86_64-unknown-linux-gnu, built on Aug 5 2014 at 17:42:11 Copyright (C) 1999-2014 The FreeRADIUS server project and contributors ?
You installed the "master" branch from git. Don't do that. Use a released version. Alan DeKok.
On 30 Mar 2015, at 11:28, Franks Andy (IT Technical Architecture Manager) <Andy.Franks@sath.nhs.uk> wrote:
Hi all, I need to be clearer on this obviously. We have a situation where one or two senior engineers are changing infrastructure and not being open about it, they do not want to do the "teamwork" thing and I politically cannot force them to do so since they operate at the same level as me, hence me trying to check the certificate presented to see if it fell into the "acceptable" template created at the project start. It's not ideal, but the technology route will be quicker route to resolution. Politics! End users cannot create certificates.
I'll re-read the docs, but the sites-enabled/default seems to be the main place where the TLS-* attributes are mentioned.
The relevant code is here: /* * Grab the X509 extensions, and create attributes out of them. * For laziness, we re-use the OpenSSL names */ if (sk_X509_EXTENSION_num(ext_list) > 0) { int i, len; char *p; BIO *out; out = BIO_new(BIO_s_mem()); strlcpy(attribute, "TLS-Client-Cert-", sizeof(attribute)); for (i = 0; i < sk_X509_EXTENSION_num(ext_list); i++) { ASN1_OBJECT *obj; X509_EXTENSION *ext; ext = sk_X509_EXTENSION_value(ext_list, i); obj = X509_EXTENSION_get_object(ext); i2a_ASN1_OBJECT(out, obj); len = BIO_read(out, attribute + 16 , sizeof(attribute) - 16 - 1); if (len <= 0) continue; attribute[16 + len] = '\0'; X509V3_EXT_print(out, ext, 0, 0); len = BIO_read(out, value , sizeof(value) - 1); if (len <= 0) continue; value[len] = '\0'; /* * Mash the OpenSSL name to our name, and * create the attribute. */ for (p = value + 16; *p != '\0'; p++) { if (*p == ' ') *p = '-'; } vp = pairmake(talloc_ctx, certs, attribute, value, T_OP_ADD); rdebug_pair_list(L_DBG_LVL_2, request, vp, NULL); } BIO_free_all(out); } So in theory if it appears as an X509 extension, and as Alan B said, you've created the appropriate RADIUS attribute, it'll automatically be decoded and placed in that attribute. I'll modify it so it prints about a bit more info, like attributes that would have been defined had the appropriate RADIUS attribute been present. That should help you a bit. Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
Hi,
So in theory if it appears as an X509 extension, and as Alan B said, you've created the appropriate RADIUS attribute, it'll automatically be decoded and placed in that attribute.
thought so :-)
I'll modify it so it prints about a bit more info, like attributes that would have been defined had the appropriate RADIUS attribute been present. That should help you a bit.
that would be useful....but maybe only with a particular setting/flag? PS regarding this issue - I'd have given them an intermediate....with the rules that if they break the rules you just revoke the intermediate. right now the only thing you can do is revoke the CA to protect/close shop. thats not good. alan
On 30 Mar 2015, at 12:10, A.L.M.Buxey@lboro.ac.uk wrote:
Hi,
So in theory if it appears as an X509 extension, and as Alan B said, you've created the appropriate RADIUS attribute, it'll automatically be decoded and placed in that attribute.
thought so :-)
I'll modify it so it prints about a bit more info, like attributes that would have been defined had the appropriate RADIUS attribute been present. That should help you a bit.
that would be useful....but maybe only with a particular setting/flag?
Maybe RDEBUG3 so it doesn't appear with -X Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
On 30 Mar 2015, at 12:25, Arran Cudbard-Bell <a.cudbardb@freeradius.org> wrote:
On 30 Mar 2015, at 12:10, A.L.M.Buxey@lboro.ac.uk wrote:
Hi,
So in theory if it appears as an X509 extension, and as Alan B said, you've created the appropriate RADIUS attribute, it'll automatically be decoded and placed in that attribute.
thought so :-)
I'll modify it so it prints about a bit more info, like attributes that would have been defined had the appropriate RADIUS attribute been present. That should help you a bit.
that would be useful....but maybe only with a particular setting/flag?
Maybe RDEBUG3 so it doesn't appear with -X
OK, added that, run with -Xx and you should see attributes that were skipped vp = pairmake(talloc_ctx, certs, attribute, value, T_OP_ADD); if (!vp) { RDEBUG3("Skipping %s += '%s'. Define %s in the server dictionary " "if you require this attribute", attribute, value, attribute); } else { rdebug_pair_list(L_DBG_LVL_2, request, vp, NULL); } -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
participants (4)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Arran Cudbard-Bell -
Franks Andy (IT Technical Architecture Manager)