EAP-TLS CN Check Question
David Mitchell
mitchell at ucar.edu
Thu May 27 21:21:12 CEST 2010
Alan DeKok wrote:
> David Mitchell wrote:
>> I've encountered a similar issue I'm not sure how to deal with. Is there
>> a place I can log any attributes of the certificate?
>
> Not at this moment. Patches are welcome.
>
>> I log my accounting
>> records via linelog, and as long as the configuration I end up with
>> forces something reasonable into the User-Name value I do log a
>> username. But it occurs to me it might be nice to have some kind of
>> record of the certificate which was used. Either the CN, or serial
>> number, or something. Is there a way to do this?
>
> Source code changes.
I believe I've found a better workaround for my original problem. By
using the realm module, I can strip off the unwanted portion of the
User-Name attribute.
In sites-enabled/default enable the 'suffix' module as needed.
In proxy.conf:
# We don't actually care about the realm, we just need a match
realm "~.+$" {
authhost = LOCAL # not strictly necessary
accthost = LOCAL # not strictly necessary
}
In eap.conf:
# Check for either Stripped-User-Name or User-Name, as we don't know
# which format the client will use.
check_cert_cn = %{%{Stripped-User-Name}:-%{User-Name}}@%{Calling-Station-Id}
Then issue certificates with a CN of the form username at 1122.3344.5566.
Most clients prompt the user for the value of User-Name, so they can
just enter 'username'. XP sends the actual value of CN, but the realm
strips the extra info back off so that we can do the comparison we want.
-David
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
-----------------------------------------------------------------
| David Mitchell (mitchell at ucar.edu) Network Engineer IV |
| Tel: (303) 497-1845 National Center for |
| FAX: (303) 497-1818 Atmospheric Research |
-----------------------------------------------------------------
More information about the Freeradius-Users
mailing list