Check the subject and issuer in the EAP-TLS

Michal Prochazka michalp at ics.muni.cz
Fri May 12 14:06:06 CEST 2006


Hello,

as I have noticed there is no possibility to check the subject
and issuer of the client certificate. My idea is to use EAP-TLS authN,
but allow only some of certificates issued by concrete CA. Two options
which are available in EAP-TLS config are not suitable for me. I don't
want to revoke the certs and the RE cannot be also used.

That's why I created small patch to the freeradius 1.1.0. I've added new
option check_script in config of EAP-TLS, where can be defined path to the
script or application which is executed after successuf TLS
authentication. The script/application will recieve in environ variables
request packet with two new value pairs: X509_SUBJECT and X509_ISSUER.
The EAP-TLS module decide on the returned value of the script/app if the
request will be discarded or allowed.

I'm open for every remark and enhancement of this patch.

I'm runnig patched freeradius in our organization and till now it works 
good.

Patch is attached if anyone is interested.

Best regards,

Michal

-- 
Michal Prochazka // michalp at ics.muni.cz

Supercomputing Center Brno
Institute of Computer Science
Masaryk University
Botanicka 68a, 60200 Brno, CZ

CESNET z.s.p.o.
Zikova 4, 16200 Praha 6, CZ

-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeradius-eap-tls-check-cert-1.1.0.patch
Type: text/x-patch
Size: 9046 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20060512/e3dc65f4/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2920 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20060512/e3dc65f4/attachment-0001.bin>


More information about the Freeradius-Users mailing list