Rejecting EAP-TLS based on cert Subject field
Alan DeKok
aland at deployingradius.com
Fri Jan 28 09:48:20 CET 2011
Matt Garretson wrote:
> It works, but there are two non-ideal things about the way it works:
>
> 1) Windows XP doesn't seem to notice the rejection and keeps retrying
> for a minute or two, ultimately failing to show any failure/error
> message to the user.
You're sending a *radius* reject. It doesn't include an EAP-Message
with an *EAP* reject. So you need to create a fake one:
update reply {
EAP-Message := 0x04010004
}
That can work sometimes...
> 2) The rejection is not logged in radiusd.log; rather, three "Auth:
> Login OK" lines are logged (the repetition is due to XP's retries)
Put the "unlang" in the "authenticate" section, after "eap":
Auth-Type eap {
eap
if (...) {
...
}
}
> Is there any way I can address these two issues? I did try putting the
> above unlang into eap.conf's tls{} section (where check_cert_issuer and
> check_cert_cn would be), in hopes that the rejection would occur during
> the auth rather than after it, but the code doesn't seem to have any
> effect there.
Unlang doesn't go in module configuration sections.
Alan DeKok.
More information about the Freeradius-Users
mailing list