Checking TLS-Cert-* and and accept/reject based on them

Phil Mayers p.mayers at imperial.ac.uk
Thu Aug 29 15:48:59 CEST 2013


On 29/08/13 14:25, Axel Thimm wrote:
> On Thu, Aug 29, 2013 at 02:12:35PM +0100, Phil Mayers wrote:
>> Otherwise, you could look at the "verify { }" stanza of the "tls {
>> }" block in eap.conf; this allows you to run an external script once
>> you've got the client cert, and there you can write any code you
>> want to access the various issuer/subject fields.
>
> Thanks, I'm already using it for other purposes. But do I have the
> request data at hand to check for the requested SSID?

It's run using the standard exec helper, so it has access to all the 
stuff that a normal exec module has; specifically there should be 
environment variables matching each request attribute, mangled into 
upper-case + underscores.

e.g.

Calling-Station-Id

...should appear as:

CALLING_STATION_ID

Suggest you try it and see.

>
> Or is there a way to set variables in this script to check later in
> the authorize section's modules (with an exec script)?

No. The output of the verify script is thrown away, so in that respect 
it's not like a normal exec. It's a binary yes/no.

Obviously you could work around this; you could set a request variable 
to a unique value e.g. timestamp+random, have your verify{} script use 
that as the basis of a filename to dump the info to, then read it with 
*another* exec module lower down.

Or you could abandon the prejudice against upgrading because "it's 
supported" (support you're not taking advantage of, I might add, since 
you're asking here) and upgrade to 2.2.0 which, IIRC, has those patches in.


More information about the Freeradius-Users mailing list