Certificate information

Alan DeKok aland at deployingradius.com
Mon Mar 30 14:43:30 CEST 2015


On Mar 30, 2015, at 5:31 AM, Franks Andy (IT Technical Architecture Manager) <Andy.Franks at sath.nhs.uk> wrote:
>  Using FR v3.1.0.

  There is no version 3.1.0.  I suggest using a released version.

>  I was wondering if there is any way I could read a TLS client
> certificate field (probably MS specific) called "Certificate Template
> Information”.

  No.  The examples in sites-enabled/default describe which TLS fields are available.  If the field isn’t listed, it’s not available.

> We have an M$ CA (for now), and one of the strings within
> this field contains the name of the certificate template, which I want
> to check, to make sure that people aren't making up their own cert
> templates and randomly giving wireless access to people in the wrong way
> (I have good reason). 

  Except all of that information is publicly available.  You’re not really adding any security here.

> I presume I can't do what I'm trying to achieve? The obvious thing would
> be to stop other people issuing certs, but I may as well learn to code C
> properly and rewrite the module, it would be easier :-)

  No.  You should use a good CA design.

  It’s not really clear what you’re doing or why.  Perhaps talking about the *problem* could help.  Right now, you’re asking why a particular solution doesn’t work.  Well, if you’re not clear on the problem or on FreeRADIUS, the solution is likely to be wrong.

  Alan DeKok.




More information about the Freeradius-Users mailing list