eap/tls questions with freeradius
Phil Mayers
p.mayers at imperial.ac.uk
Wed Dec 28 15:16:51 CET 2011
On 12/26/2011 02:44 PM, vazoumana fofana wrote:
> sorry, i ve got persistents problems :
>
> - i filter client certificate under authenticate section (under eap)
> with : Auth-Type eap {
> if ( "%{TLS-Client-Cert-Subject}" =~ /OU=xxxxx/ ) {
> reject
> }
> }.
> Firstly, it s' written on "default" file :
> /Please do not put "unlang" configurations into the "authenticate"
> # section. Put them in the "post-auth" section instead. That's what
> # the post-auth section is for./
> But, according to me , it's not right because i don't want to enter into
> post-auth. It must be rejected before.
This is not easy at the moment I'm afraid.
Basically, the problem is that the "authorize" part of the "eap" module
doesn't do much. All the work is done inside the "authenticate" section.
This means that TLS-* attributes may not be present in "authorize".
You are correct that performing a "reject" in "post-auth" is not the
right thing to do.
It might be an idea in future to add an "inner-tunnel" feature for
EAP-TLS which sends a plain PAP packet with the TLS-* attributes, which
allows this kind of checking.
You need to use the "verify { }" option under the "tls { }" config to
run an external script. Like so:
eap {
tls {
verify {
client = "/path/to/my/script ..."
}
}
}
This is documented with examples in eap.conf
But really, you're doing it wrong.
If you don't want a particular cert to authenticate, revoke it and use
CRLs or OSCP.
Why do you think you want to check the cert subject?
More information about the Freeradius-Users
mailing list