EAP-TLS CN Check Question
Greetings, I'm working with the EAP-TLS configuration and one thing I'd like to do is to be able to restrict a certificate to use on a specific device. In most cases, I can get this to work: check_cert_cn = %{User-Name}-%{Calling-Station-Id} However, by default WindowsXP is using the value of CN from the certificate as the username so I get a value which matches check_cert_cn = %{User-Name} making it hard to integrate the Calling-Station-Id into the comparison. Full regexp comparisons don't seem to be available, at least that used to be the case based on my reading of the mailing list archives. Is there some other way to accomplish this? I was thinking if perhaps the certificate attributes ended up in a place where I could perform more thorough unlang comparisons I could get the same effect. The authentication eventually passes through the users file, and the User-Name and Calling-Station-Id should be available there but I don't know if I can access the CN or other certificate attributes there. Does anybody know if this is possible? As a fallback, I can have the XP users jump through more configuration hoops, or put only the Calling-Station-Id into the CN but I do like having the username in there as well. Thanks in advance, -David Mitchell -- ----------------------------------------------------------------- | David Mitchell (mitchell@ucar.edu) Network Engineer IV | | Tel: (303) 497-1845 National Center for | | FAX: (303) 497-1818 Atmospheric Research | -----------------------------------------------------------------
David Mitchell wrote:
Is there some other way to accomplish this? I was thinking if perhaps the certificate attributes ended up in a place where I could perform more thorough unlang comparisons I could get the same effect. The authentication eventually passes through the users file, and the User-Name and Calling-Station-Id should be available there but I don't know if I can access the CN or other certificate attributes there. Does anybody know if this is possible?
I've encountered a similar issue I'm not sure how to deal with. Is there a place I can log any attributes of the certificate? I log my accounting records via linelog, and as long as the configuration I end up with forces something reasonable into the User-Name value I do log a username. But it occurs to me it might be nice to have some kind of record of the certificate which was used. Either the CN, or serial number, or something. Is there a way to do this? -David Mitchell -- ----------------------------------------------------------------- | David Mitchell (mitchell@ucar.edu) Network Engineer IV | | Tel: (303) 497-1845 National Center for | | FAX: (303) 497-1818 Atmospheric Research | -----------------------------------------------------------------
David Mitchell wrote:
I've encountered a similar issue I'm not sure how to deal with. Is there a place I can log any attributes of the certificate?
Not at this moment. Patches are welcome.
I log my accounting records via linelog, and as long as the configuration I end up with forces something reasonable into the User-Name value I do log a username. But it occurs to me it might be nice to have some kind of record of the certificate which was used. Either the CN, or serial number, or something. Is there a way to do this?
Source code changes. Alan DeKok.
Alan DeKok wrote:
David Mitchell wrote:
I've encountered a similar issue I'm not sure how to deal with. Is there a place I can log any attributes of the certificate?
Not at this moment. Patches are welcome.
I log my accounting records via linelog, and as long as the configuration I end up with forces something reasonable into the User-Name value I do log a username. But it occurs to me it might be nice to have some kind of record of the certificate which was used. Either the CN, or serial number, or something. Is there a way to do this?
Source code changes.
I believe I've found a better workaround for my original problem. By using the realm module, I can strip off the unwanted portion of the User-Name attribute. In sites-enabled/default enable the 'suffix' module as needed. In proxy.conf: # We don't actually care about the realm, we just need a match realm "~.+$" { authhost = LOCAL # not strictly necessary accthost = LOCAL # not strictly necessary } In eap.conf: # Check for either Stripped-User-Name or User-Name, as we don't know # which format the client will use. check_cert_cn = %{%{Stripped-User-Name}:-%{User-Name}}@%{Calling-Station-Id} Then issue certificates with a CN of the form username@1122.3344.5566. Most clients prompt the user for the value of User-Name, so they can just enter 'username'. XP sends the actual value of CN, but the realm strips the extra info back off so that we can do the comparison we want. -David
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- ----------------------------------------------------------------- | David Mitchell (mitchell@ucar.edu) Network Engineer IV | | Tel: (303) 497-1845 National Center for | | FAX: (303) 497-1818 Atmospheric Research | -----------------------------------------------------------------
participants (2)
-
Alan DeKok -
David Mitchell