EAP-TLS CN Check Question

David Mitchell mitchell at ucar.edu
Thu May 27 21:21:12 CEST 2010

Alan DeKok wrote:
> David Mitchell wrote:
>> I've encountered a similar issue I'm not sure how to deal with. Is there
>> a place I can log any attributes of the certificate? 
>   Not at this moment.  Patches are welcome.
>> I log my accounting
>> records via linelog, and as long as the configuration I end up with
>> forces something reasonable into the User-Name value I do log a
>> username. But it occurs to me it might be nice to have some kind of
>> record of the certificate which was used. Either the CN, or serial
>> number, or something. Is there a way to do this?
>   Source code changes.

I believe I've found a better workaround for my original problem. By
using the realm module, I can strip off the unwanted portion of the
User-Name attribute.

In sites-enabled/default enable the 'suffix' module as needed.

In proxy.conf:
# We don't actually care about the realm, we just need a match
realm "~.+$" {
      authhost = LOCAL       # not strictly necessary
      accthost = LOCAL       # not strictly necessary

In eap.conf:
# Check for either Stripped-User-Name or User-Name, as we don't know
# which format the client will use.
check_cert_cn = %{%{Stripped-User-Name}:-%{User-Name}}@%{Calling-Station-Id}

Then issue certificates with a CN of the form username at 1122.3344.5566.
Most clients prompt the user for the value of User-Name, so they can
just enter 'username'. XP sends the actual value of CN, but the realm
strips the extra info back off so that we can do the comparison we want.


>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

| David Mitchell (mitchell at ucar.edu)       Network Engineer IV  |
| Tel: (303) 497-1845                      National Center for  |
| FAX: (303) 497-1818                      Atmospheric Research |

More information about the Freeradius-Users mailing list