Rejecting EAP-TLS based on cert Subject field
Matt Garretson
mattg at assembly.state.ny.us
Thu Jan 27 21:41:13 CET 2011
On 1/27/2011 1:24 PM, Matt Garretson wrote:
> Thanks. That's actually my goal. But unlang isn't allowed in
> authenticate{}, and my attempts to sneak it into the authentication
> phase via the tls{} section in eap.conf didn't seem to work.
> Any other ways to do it?
Replying to myself here.... I got a bit closer to my goal by putting
this in the verify{} subsection of tls{} :
tmpdir = /tmp/radiusd
client = "/usr/local/bin/checkcert %{TLS-Client-Cert-Filename}"
Where /usr/local/bin/checkcert contains:
#!/bin/sh
if /usr/bin/openssl x509 -in "$1" -noout -text | \
/bin/grep -q " Subject:.* OU=Evil," ; then
RC=1
else
RC=0
fi
exit $RC
The XP client still tries three times (duh), but at least radius.log reflects
a failure:
Error: TLS_accept: error in SSLv3 read client certificate B
Error: rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
Error: SSL: SSL_read failed in a system call (-1), TLS session fails.
Auth: Login incorrect (TLS Alert write:fatal:certificate unknown): [snip]
Still, it would be nice if I could use unlang (or something) to match against
%{TLS-Client-Cert-Subject} during the authenticate stage somehow. Is there
a way that I'm missing?
Thanks,
-Matt
More information about the Freeradius-Users
mailing list