Certificate information

Franks Andy (IT Technical Architecture Manager) Andy.Franks at sath.nhs.uk
Tue Mar 31 11:45:55 CEST 2015


Hi Arran,
  So, I've partly got this, but only partly!
  If I create a radius attribute in the dictionary of string type, how does that link to the EKU extension part of the cert? Obviously there are predefined attributes in the internal dictionary and the one I'd expect to start reporting this is (presumably multi value attribute?)

  ATTRIBUTE  TLS-Client-Cert-X509v3-Extended-Key-Usage 	1927

  .. but that returns an empty string during the debugging 

(7) EXPAND %{TLS-Client-Cert-X509v3-Extended-Key-Usage}
(7)    -->
(7)     Reply-Message += ""

If wonder if it's either due to the openssl library version or the fact that the certs are likely DER format to start with..?

I know that certain attributes are required for windows to even look at a certificate for wireless use, so we can assume "client authentication" as one of the required EKUs - I'd be looking for ones over and above that as it looks like the certificates being created randomly by the domain administrator (!) contain other things like encrypting file system use and so on.

Anyway, I guess the best way forward is to download the latest git and try what you added? Am I best to try and upgrade the openssl libraries too?

Thanks guys, really helpful.



More information about the Freeradius-Users mailing list