Rejecting EAP-TLS based on cert Subject field
Phil Mayers
p.mayers at imperial.ac.uk
Thu Jan 27 21:03:53 CET 2011
On 01/27/2011 06:04 PM, Matt Garretson wrote:
> For years, we've been doing simple EAP-TLS with various versions of
> FreeRADIUS. Now, a new requirement has come down to me such that radius
> will have to reject certain valid client certs based on a string in the
> Subject field of the client cert.
>
> I've met this need (using 2.1.11 from git) with a simple bit of unlang
> in post-auth{}:
>
> if ( "%{TLS-Client-Cert-Subject}" =~ /OU=Evil/ ) {
> reject
> }
Just put this in the "authorize" section? If it's early in the EAP
conversation, TLS-Client-* won't be set so won't match, meaning this
will succeed as soon as yo uget that far.
>
> It works, but there are two non-ideal things about the way it works:
>
> 1) Windows XP doesn't seem to notice the rejection and keeps retrying
> for a minute or two, ultimately failing to show any failure/error
> message to the user.
>
> 2) The rejection is not logged in radiusd.log; rather, three "Auth:
> Login OK" lines are logged (the repetition is due to XP's retries)
>
> Is there any way I can address these two issues? I did try putting the
> above unlang into eap.conf's tls{} section (where check_cert_issuer and
> check_cert_cn would be), in hopes that the rejection would occur during
> the auth rather than after it, but the code doesn't seem to have any
> effect there.
Correct. Unlang is only processed in authorize-like steps, not arbitrary
bits of the config.
More information about the Freeradius-Users
mailing list