Checking TLS-Cert-* and and accept/reject based on them

Axel Thimm Axel.Thimm at ATrpms.net
Thu Aug 29 17:35:33 CEST 2013


On Thu, Aug 29, 2013 at 02:48:59PM +0100, Phil Mayers wrote:
> On 29/08/13 14:25, Axel Thimm wrote:
> >On Thu, Aug 29, 2013 at 02:12:35PM +0100, Phil Mayers wrote:
> >>Otherwise, you could look at the "verify { }" stanza of the "tls {
> >>}" block in eap.conf; this allows you to run an external script once
> >>you've got the client cert, and there you can write any code you
> >>want to access the various issuer/subject fields.
> >
> >Thanks, I'm already using it for other purposes. But do I have the
> >request data at hand to check for the requested SSID?
> 
> It's run using the standard exec helper, so it has access to all the
> stuff that a normal exec module has; specifically there should be
> environment variables matching each request attribute, mangled into
> upper-case + underscores.
> 
> e.g.
> 
> Calling-Station-Id
> 
> ...should appear as:
> 
> CALLING_STATION_ID
> 
> Suggest you try it and see.

Thank you, that looks very promising!

> >
> >Or is there a way to set variables in this script to check later in
> >the authorize section's modules (with an exec script)?
> 
> No. The output of the verify script is thrown away, so in that
> respect it's not like a normal exec. It's a binary yes/no.
> 
> Obviously you could work around this; you could set a request
> variable to a unique value e.g. timestamp+random, have your verify{}
> script use that as the basis of a filename to dump the info to, then
> read it with *another* exec module lower down.

That is very nasty! I love it! :)

I'll try to go with the verify for now.

> Or you could abandon the prejudice against upgrading because "it's
> supported" (support you're not taking advantage of, I might add,
> since you're asking here) and upgrade to 2.2.0 which, IIRC, has
> those patches in.

For systems I know I will be the long term support I can talk to the
customer and he will agree to have me patch up specific binaries, but
in this case I'm just setting this up.
-- 
Axel.Thimm at ATrpms.net


More information about the Freeradius-Users mailing list