Using X.509 Cert. subject and issuer for authorization with EAP-TLS

Alan DeKok aland at
Fri Apr 11 11:04:36 CEST 2008

Arnaud Ebalard wrote:
>>From my understanding (don't hesitate to correct me), the authorization
> step being done before the authentication step (for the purpose of
> selecting the allowed authentication method), it does not seem possible
> to use attributes from the X.509 Certificate provided by the client for
> the purpose of authorization (it comes too late).

  No... there are multiple packet exchanges involved.  You can check the
certificate ONLY after you've received all of it.  This happens during
one of the authorization phases, and before authentication happens.

> I expected I would be able to extract the information from the client
> Cert during authentication and make it available for Post-Auth in
> order to decide what to do in a more precise manner (change attribute,
> reject, ...).

  That's a great feature.  As always, patches are welcome.

> - where to store the information grabbed in the SSL callback,

  Don't.  There's no reason to grab that information if no one is
looking for it.  Instead, save a pointer to the SSL session, and
register a callback that can dynamically expand the strings, if, and
when, someone asks for it.

  See xlat.c, and other examples of registering a callback.

> - how to make that information usable in a transparent fashion for
>   Post-Auth modules like rlm_files, ... 

  That's the purpose of the callbacks: to be transparent.

> - how to force a reject and not only change attributes, ...

  That's a policy.  It has nothing to do with certificates.

  Alan DeKok.

More information about the Freeradius-Devel mailing list