Is it possible to execute check-eap-tls before checking ocsp?
Mitsuhiro Nakamura
mitsuhiro.nakamura at nabiq.co.jp
Sat Apr 23 12:24:25 CEST 2016
Thank you for reply.
I have to protect cert ddos attacks for OCSP server.
I'll find another way.
Thanks anyway!
On 2016/04/22 22:14, Alan DeKok wrote:
> On Apr 22, 2016, at 4:38 AM, Mitsuhiro Nakamura <mitsuhiro.nakamura at nabiq.co.jp> wrote:
>>
>> Thank you for reply.
>> I changed check-eap-tls before ocsp as bellow
>
> Order in the configuration files doesn't matter.
>
> Order *does* matter for "unlang", e.g. in authorize, authenticate, etc.
>
>> raddb/sites-enabled/check-eap-tls
>> if ("%{TLS-Client-Cert-Common-Name}" =~ /^.*@domain\.com$/) {
>> update config {
>> &Auth-Type := Accept
>
> You cannot do that.
>
> For one, it's "update control", not "update config".
>
> And you *cannot* just return "Accept" for EAP-TLS. The protocol is designed to make that impossible.
>
> i.e. the configuration file lets you do that, but the client will detect that the protocol is wrong, and stop doing EAP-TLS... and not get on the network.
>
>> but in this case ocsp never execute if check-eap-tls success.
>> any ideas?
>
> If you bypass all of EAP-TLS by forcing Access-Accept, then yes... the EAP-TLS checks will not be run.
>
> Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
More information about the Freeradius-Users
mailing list