IP address allocation based on certificate attributes
My use case is using EAP-TLS, and clients authenticating using X509 certificates. I know that certificate authentication is bread and butter for Radius, but I have a more granular requirement. The user certificates are setup according to different countries, and cities etc where the users are based, e.g. within the Subject field is an attribute C=GB or C=US etc. I need to be able to allocate US users to one range of IP addresses, and UK users to another range of IP addresses - based solely on those attributes. Is this possible? Can it be done in configuration, or would it require coding? Many thanks Janet
janet long wrote:
I know that certificate authentication is bread and butter for Radius, but I have a more granular requirement.
That's why you use FreeRADIUS. :)
The user certificates are setup according to different countries, and cities etc where the users are based, e.g. within the Subject field is an attribute C=GB or C=US etc. I need to be able to allocate US users to one range of IP addresses, and UK users to another range of IP addresses - based solely on those attributes.
See raddb/sites-available/default in the recent releases of version 2. You can query many of the certificate fields. Look for "TLS-"
Is this possible? Can it be done in configuration, or would it require coding?
It can be done without any coding changes. Just check the TLS-Cert-Subject attribute. Look for "C=..", via a regex, and then use the country code as a key to choose an IP pool. It takes 3-4 steps, but it's all relatively straightforward. Alan DeKok.
participants (2)
-
Alan DeKok -
janet long