Rejecting EAP-TLS based on cert Subject field [RESOLVED]
Matt Garretson
mattg at assembly.state.ny.us
Fri Jan 28 19:30:00 CET 2011
On 1/28/2011 3:48 AM, Alan DeKok wrote:
> Put the "unlang" in the "authenticate" section, after "eap":
> Auth-Type eap {
> eap
> if (...) {
> ...
> }
> }
Thank you!! That did the trick. The entirety of my authenticate
section is now:
authenticate {
Auth-Type Kerberos {
krb5
}
Auth-Type eap {
eap
if ( "%{TLS-Client-Cert-Subject}" =~ /\/OU=Evil\// ) {
reject
}
}
}
And it works perfectly. Thank you!
As for Windows XP dealing with the rejection....
> You're sending a *radius* reject. It doesn't include an EAP-Message
> with an *EAP* reject. So you need to create a fake one:
> update reply {
> EAP-Message := 0x
> }
> That can work sometimes...
Ah, thanks for the tip. I added this in the "Post-Auth-Type REJECT"
section:
if ( "%{control:Auth-Type}" == "EAP" ) {
update reply {
EAP-Message := 0x04010004
}
}
The code seems to work as expected, but Windows XP still doesn't seem to
handle it sensibly. But I can live with that.
Thank you, Alan!
-Matt
More information about the Freeradius-Users
mailing list