hello, In the EAP-tls access, the textbox "Identity" on smartphones have a correspondent attribute in freeradius? eap_tls: TLS-Cert-Common-Name := "COMPANY CA" Wed Apr 10 15:09:30 2019 : Debug: (2957) eap_tls: chain-depth : 1 Wed Apr 10 15:09:30 2019 : Debug: (2957) eap_tls: error : 0 Wed Apr 10 15:09:30 2019 : Debug: (2957) eap_tls: *identity : 99171* -- Elias Pereira
On Apr 11, 2019, at 9:39 PM, Matthew Newton <mcn@freeradius.org> wrote:
On Wed, 2019-04-10 at 15:23 -0300, Elias Pereira wrote:
In the EAP-tls access, the textbox "Identity" on smartphones have a correspondent attribute in freeradius?
Maybe in User-Name?
Look at the debug output to see if it's sent.
Indeed, it'll be in user-name as a function of the NAS copying the EAP-Identity-Response to the RADIUS packet in the User-Name attribute. If it's longer than 253 bytes, it should be available untruncated/unmolested in the TLS Verification virtual server. -Arran
hello, Yes, it's User-Name!! I have an infra with freeradius for authentication via EAP-TLS. Users download a .p12 according to their user in our domain. Installs this .p12 that contains the personal certificate, private key, and CA. In android devices the Identity field is required. Due to a failure in my configuration or not, if a user installs their .p12 and Identity puts another user from our domain, the connection is accepted in the same way. I was able to fix this with some ifs / else. I would like to try to find where the problem is and try to fix it. Thanks for the answers!!! On Thu, Apr 11, 2019 at 5:43 PM Arran Cudbard-Bell < a.cudbardb@freeradius.org> wrote:
On Apr 11, 2019, at 9:39 PM, Matthew Newton <mcn@freeradius.org> wrote:
On Wed, 2019-04-10 at 15:23 -0300, Elias Pereira wrote:
In the EAP-tls access, the textbox "Identity" on smartphones have a correspondent attribute in freeradius?
Maybe in User-Name?
Look at the debug output to see if it's sent.
Indeed, it'll be in user-name as a function of the NAS copying the EAP-Identity-Response to the RADIUS packet in the User-Name attribute.
If it's longer than 253 bytes, it should be available untruncated/unmolested in the TLS Verification virtual server.
-Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Elias Pereira
On Apr 12, 2019, at 2:04 PM, Elias Pereira <empbilly@gmail.com> wrote:
In android devices the Identity field is required. Due to a failure in my configuration or not, if a user installs their .p12 and Identity puts another user from our domain, the connection is accepted in the same way. I was able to fix this with some ifs / else. I would like to try to find where the problem is and try to fix it.
Read the debug output. It will show you what attribute has the TLS certificate identity. Usually TLS-Client-Cert-Common-Name Then, write some unlang to compare that to the User-Name: if (TLS-Client-Cert-Common-Name && TLS-Client-Cert-Common-Name != User-Name) { reject } Alan DeKok.
participants (4)
-
Alan DeKok -
Arran Cudbard-Bell -
Elias Pereira -
Matthew Newton