Check the subject and issuer in the EAP-TLS

Michal Prochazka michalp at ics.muni.cz
Tue May 16 12:00:13 CEST 2006


>   Oh, I've missed your point, sorry.
>    This patch is against using some (for example, e-mail signing) 
> certificate (issued by proper CA!) as wireless client's one, am I right 
> on second try? :)

No :-) As I have said, this script is enhancement of the EAP-TLS 
authentication. Radius does usual TLS authenticatioin, user must have 
certificate issued by CA which is defined in freeradius in eap-tls 
configuration (you can use every certificate, you must have the CA 
certificate in path where freeradius searchs for CA certificates). After 
successful authentication this script gets the subject name and issuer 
and compare it against the list of allowed certificates. That's it:-)

I have gathered some comments and there is another solution: In eap 
authentication phase after successful authentication put whole client 
certificate into the request packet and write the eap-tls authorize 
section where the script (defined in some configuration file) will be 
started and whole certificate will be passed to this script. Then the 
script can process whole client certificate and can decide on
each field in the certificate.

-- 
Michal Prochazka // michalp at ics.muni.cz

Supercomputing Center Brno
Institute of Computer Science
Masaryk University
Botanicka 68a, 60200 Brno, CZ

CESNET z.s.p.o.
Zikova 4, 16200 Praha 6, CZ
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2920 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20060516/3e83a01a/attachment.bin>


More information about the Freeradius-Users mailing list