Rejecting EAP-TLS based on cert Subject field
Phil Mayers
p.mayers at imperial.ac.uk
Fri Jan 28 12:36:39 CET 2011
On 27/01/11 21:30, Matt Garretson wrote:
> On 1/27/2011 3:03 PM, Phil Mayers wrote:
>>> I've met this need (using 2.1.11 from git) with a simple bit of unlang
>>> in post-auth{}:
>>> if ( "%{TLS-Client-Cert-Subject}" =~ /OU=Evil/ ) {
>>> reject
>>> }
>>
>> Just put this in the "authorize" section? If it's early in the EAP
>> conversation, TLS-Client-* won't be set so won't match, meaning this
>> will succeed as soon as yo uget that far.
>
>
> I'm not sure I follow you here. Are you saying that there is a place in
> the authorize section where TLS-Client-* _would_ be accessible to
> unlang? I've tried it in a few places (before eap, after eap, at the
> top of the section, at the bottom of the section) and it seemed to have
> no effect. But it's entirely possible that I missed something during
> these tests.
You're right, I'm wrong.
EAP of course runs all its guts in the "authenticate" section, so
nothing is available during the "authorize" section.
Sorry for the noise.
More information about the Freeradius-Users
mailing list