Rejecting EAP-TLS based on cert Subject field
Matt Garretson
mattg at assembly.state.ny.us
Thu Jan 27 22:30:05 CET 2011
On 1/27/2011 3:03 PM, Phil Mayers wrote:
>> I've met this need (using 2.1.11 from git) with a simple bit of unlang
>> in post-auth{}:
>> if ( "%{TLS-Client-Cert-Subject}" =~ /OU=Evil/ ) {
>> reject
>> }
>
> Just put this in the "authorize" section? If it's early in the EAP
> conversation, TLS-Client-* won't be set so won't match, meaning this
> will succeed as soon as yo uget that far.
I'm not sure I follow you here. Are you saying that there is a place in
the authorize section where TLS-Client-* _would_ be accessible to
unlang? I've tried it in a few places (before eap, after eap, at the
top of the section, at the bottom of the section) and it seemed to have
no effect. But it's entirely possible that I missed something during
these tests.
> Correct. Unlang is only processed in authorize-like steps, not arbitrary
> bits of the config.
I can understand that. But given that the eap module has access to some
client cert fields during authentication (e.g. check_cert_issuer and
check_cert_cn), it would be nice to be able to access these and other
client cert fields with unlang (or something similar) at that stage.
But, admittedly, I'm way over my head here :-) so I'll make do with
one of the methods described earlier in this thread.
Thanks,
-Matt
More information about the Freeradius-Users
mailing list