Option to disable client certificate validation in freeradius server
Hi, For quite some time, I am looking for an explicit option (configuration parameter) to disable client certificate validation in freeradius server. It's needed for my validation of my CPE WAN interface DHCP functionality post 802.1x authentication using EAP-TLS. Please suggest.
On Aug 19, 2019, at 2:01 AM, Kumaravel M <kumara2k@gmail.com> wrote:
For quite some time, I am looking for an explicit option (configuration parameter) to disable client certificate validation in freeradius server. It's needed for my validation of my CPE WAN interface DHCP functionality post 802.1x authentication using EAP-TLS. Please suggest.
There isn't such an option, sorry. Doing that would require source code changes. Alan DeKok.
Alan DeKok <aland@deployingradius.com> wrote:
On Aug 19, 2019, at 2:01 AM, Kumaravel M <kumara2k@gmail.com> wrote:
For quite some time, I am looking for an explicit option (configuration parameter) to disable client certificate validation in freeradius server. It's needed for my validation of my CPE WAN interface DHCP functionality post 802.1x authentication using EAP-TLS. Please suggest.
There isn't such an option, sorry. Doing that would require source code changes.
I did start to look at the prospect of adding such features, but only got as far as writing up a gist. https://gist.github.com/skids/04cd1b47792a862755a7b0fddb89f34c
On Aug 19, 2019, at 9:58 AM, Brian Julin <BJulin@clarku.edu> wrote:
I did start to look at the prospect of adding such features, but only got as far as writing up a gist.
https://gist.github.com/skids/04cd1b47792a862755a7b0fddb89f34c
That sounds reasonable. For v4, Arran has re-worked all of the TLS handling. The certificate checking, session caching, etc. is all handled in a specialized virtual server. So things which required code changes in v3 just require "unlang" policies in v4. Alan DeKok.
On 19 Aug 2019, at 10:37, Alan DeKok <aland@deployingradius.com> wrote:
On Aug 19, 2019, at 9:58 AM, Brian Julin <BJulin@clarku.edu> wrote:
I did start to look at the prospect of adding such features, but only got as far as writing up a gist.
https://gist.github.com/skids/04cd1b47792a862755a7b0fddb89f34c
That sounds reasonable.
For v4, Arran has re-worked all of the TLS handling. The certificate checking, session caching, etc. is all handled in a specialized virtual server.
So things which required code changes in v3 just require "unlang" policies in v4.
Need another config item "request_client_cert" and control attribute that changes whether the certificate is requested independently of whether it's required. I can see requesting a certificate in every scenario might cause issues if the Windows/Andoid/macOS/iOS ever support multi-factor PEAP. -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
participants (4)
-
Alan DeKok -
Arran Cudbard-Bell -
Brian Julin -
Kumaravel M