Check the subject and issuer in the EAP-TLS
Michal Prochazka
michalp at ics.muni.cz
Tue May 16 12:00:13 CEST 2006
> Oh, I've missed your point, sorry.
> This patch is against using some (for example, e-mail signing)
> certificate (issued by proper CA!) as wireless client's one, am I right
> on second try? :)
No :-) As I have said, this script is enhancement of the EAP-TLS
authentication. Radius does usual TLS authenticatioin, user must have
certificate issued by CA which is defined in freeradius in eap-tls
configuration (you can use every certificate, you must have the CA
certificate in path where freeradius searchs for CA certificates). After
successful authentication this script gets the subject name and issuer
and compare it against the list of allowed certificates. That's it:-)
I have gathered some comments and there is another solution: In eap
authentication phase after successful authentication put whole client
certificate into the request packet and write the eap-tls authorize
section where the script (defined in some configuration file) will be
started and whole certificate will be passed to this script. Then the
script can process whole client certificate and can decide on
each field in the certificate.
--
Michal Prochazka // michalp at ics.muni.cz
Supercomputing Center Brno
Institute of Computer Science
Masaryk University
Botanicka 68a, 60200 Brno, CZ
CESNET z.s.p.o.
Zikova 4, 16200 Praha 6, CZ
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2920 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20060516/3e83a01a/attachment.bin>
More information about the Freeradius-Users
mailing list