EAP-TLS & authorize & LDAP -> non-sane default

Stefan Winter stefan.winter at restena.lu
Thu Oct 20 12:47:52 CEST 2011


some admins who deploy EAP-TLS brought an interesting note to my
attention (can't actually verify it, as I don't have their sophisticated

The story goes like that

- EAP-TLS does not have inner EAP, so there is no inner virtual server
for it
- if you want to authorization checks for the user, it has to happen on
outer server (say, ask LDAP for some user attributes)
- the default ldap filter expression uses (Stripped) User-Name
- User-Name in EAP-TLS can be set arbitrarily by the end user as outer

-> FreeRADIUS by default performs authorisation checks with an unvetted,
user-supplied string

So, if John Doe has a valid certificate, but is not authorized for
network access, but he knows that Jane Donk *is* authorized, he could
set anon ID = Jane Donk, and use his own certificate. authorize passes
with Jane's User-Name, and authentication passes with John's proper

That's all no tragedy; after all, it's just the *default* behaviour of
the LDAP module, and can be changed. People may want to "channel bind"
the two values on their own by enforcing User-Name ==
TLS-Client-Cert-Common-Name or so.

I'm just wondering if we could by default ship a config which would
prefer cert content, such as Common Name, over unvetted information so
as to have a more sane default.

I'm guessing that changing the ldap module's "filter" config item should
do, from

filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"


filter =

(uh, I'm sure I got those curly braces wrong... bear with me...)

That expression would do the same as before in all cases except when EAP
types with Client TLS certificates are used, and would only then use the CN.

Is there any sense in what I write?


Stefan Winter

Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-devel/attachments/20111020/eea04de5/attachment.pgp>

More information about the Freeradius-Devel mailing list