Certificate Properties.

Andrew Olson anolson at gmail.com
Tue May 6 20:34:00 CEST 2008 

Appears that I have something working now.

Here is what I have so far.  Enjoy.

*** src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c.OEM
2008-04-30 14:46:28.000000000 -0400
--- src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c 2008-05-06
14:03:58.000000000 -0400
***************
*** 794,799 ****
--- 794,820 ----
        /*
         *      Success: Return MPPE keys.
         */
+       X509 * client_cert;
+       client_cert = SSL_get_peer_certificate(tls_session->ssl);
+
+       long serialNumber =
ASN1_INTEGER_get(X509_get_serialNumber(client_cert));
+       char serial_str[64];
+       serial_str[0]='\0';
+       sprintf(serial_str, "%ld", serialNumber);
+
+       VALUE_PAIR *vp;
+       vp=pairmake("FreeRADIUS-Cert-Serial", serial_str, T_OP_SET);
+       if (!vp) {
+               DEBUG("  rlm_eap_tls: Failed to create attribute %s: %s\n",
+                       "FreeRADIUS-Cert-Serial", librad_errstr);
+       }
+       else {
+               DEBUG2("Adding Cert SN to request -> %s", serial_str);
+               pairadd(&handler->request->packet->vps, vp);
+               DEBUG2("Added Cert SN to request");
+       }
+
+
        eaptls_success(handler->eap_ds, 0);
        eaptls_gen_mppe_keys(&handler->request->reply->vps,
                             tls_session->ssl,


and a small change to the dictionary...

*** share/dictionary.freeradius.OEM     2008-05-06 14:17:43.000000000 -0400
--- share/dictionary.freeradius 2008-05-06 14:20:41.000000000 -0400
***************
*** 14,18 ****
--- 14,19 ----
  BEGIN-VENDOR  FreeRADIUS

  ATTRIBUTE     FreeRADIUS-Proxied-To                   1       ipaddr
+ ATTRIBUTE       FreeRADIUS-Cert-Serial                  2       integer

  END-VENDOR FreeRADIUS





On Mon, May 5, 2008 at 2:54 PM, Alan DeKok <aland at deployingradius.com> wrote:
> Andrew Olson wrote:
>  > You still haven't indicated why the perl module isn't running after
>  > eap.  If I put it before eap in the config, the module runs.  After
>  > eap, you can see from the trace that it doesn't run.
>
>   Yes.  The eap module returns "handled", which means "not authenticated
>  yet, send Access-Challenge".
>
>   If you want your module to run only when the user is authenticated, you
>  need to run it when the eap module returns "ok".
>
>
>
>   Alan DeKok.
>  -
>  List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>

More information about the Freeradius-Users mailing list