Certificate information

Alan DeKok aland at deployingradius.com
Tue Mar 31 16:02:34 CEST 2015

On Mar 31, 2015, at 5:45 AM, Franks Andy (IT Technical Architecture Manager) <Andy.Franks at sath.nhs.uk> wrote:
>  If I create a radius attribute in the dictionary of string type, how does that link to the EKU extension part of the cert? Obviously there are predefined attributes in the internal dictionary and the one I'd expect to start reporting this is (presumably multi value attribute?)
>  ATTRIBUTE  TLS-Client-Cert-X509v3-Extended-Key-Usage 	1927

  That attribute contains the EKE extension.

>  .. but that returns an empty string during the debugging 
> (7) EXPAND %{TLS-Client-Cert-X509v3-Extended-Key-Usage}
> (7)    -->
> (7)     Reply-Message += ""
> If wonder if it's either due to the openssl library version or the fact that the certs are likely DER format to start with..?

  The cert format doesn't matter.

  Look at the REST of the debug output to see what's going on.  There may be another stage of processing where the certs are available.

> I know that certain attributes are required for windows to even look at a certificate for wireless use, so we can assume "client authentication" as one of the required EKUs - I'd be looking for ones over and above that as it looks like the certificates being created randomly by the domain administrator (!) contain other things like encrypting file system use and so on.

  Why, exactly, are random people creating certs against your domain?  That's just weird.

> Anyway, I guess the best way forward is to download the latest git and try what you added? Am I best to try and upgrade the openssl libraries too?

  You don't need to upgrade.

  Alan DeKok.

More information about the Freeradius-Users mailing list