Is it possible to execute check-eap-tls before checking ocsp?
Alan DeKok
aland at deployingradius.com
Fri Apr 22 15:14:12 CEST 2016
On Apr 22, 2016, at 4:38 AM, Mitsuhiro Nakamura <mitsuhiro.nakamura at nabiq.co.jp> wrote:
>
> Thank you for reply.
> I changed check-eap-tls before ocsp as bellow
Order in the configuration files doesn't matter.
Order *does* matter for "unlang", e.g. in authorize, authenticate, etc.
> raddb/sites-enabled/check-eap-tls
> if ("%{TLS-Client-Cert-Common-Name}" =~ /^.*@domain\.com$/) {
> update config {
> &Auth-Type := Accept
You cannot do that.
For one, it's "update control", not "update config".
And you *cannot* just return "Accept" for EAP-TLS. The protocol is designed to make that impossible.
i.e. the configuration file lets you do that, but the client will detect that the protocol is wrong, and stop doing EAP-TLS... and not get on the network.
> but in this case ocsp never execute if check-eap-tls success.
> any ideas?
If you bypass all of EAP-TLS by forcing Access-Accept, then yes... the EAP-TLS checks will not be run.
Alan DeKok.
More information about the Freeradius-Users
mailing list