Is it possible to execute check-eap-tls before checking ocsp?

Mitsuhiro Nakamura mitsuhiro.nakamura at nabiq.co.jp
Sat Apr 23 12:24:25 CEST 2016


Thank you for reply.

I have to protect cert ddos attacks for OCSP server.
I'll find another way.

Thanks anyway!

On 2016/04/22 22:14, Alan DeKok wrote:
> On Apr 22, 2016, at 4:38 AM, Mitsuhiro Nakamura <mitsuhiro.nakamura at nabiq.co.jp> wrote:
>>
>> Thank you for reply.
>> I changed check-eap-tls before ocsp as bellow
>
>    Order in the configuration files doesn't matter.
>
>    Order *does* matter for "unlang", e.g. in authorize, authenticate, etc.
>
>> raddb/sites-enabled/check-eap-tls
>>         if ("%{TLS-Client-Cert-Common-Name}" =~ /^.*@domain\.com$/) {
>>                 update config {
>>                         &Auth-Type := Accept
>
>    You cannot do that.
>
>    For one, it's "update control", not "update config".
>
>    And you *cannot* just return "Accept" for EAP-TLS.  The protocol is designed to make that impossible.
>
>    i.e. the configuration file lets you do that, but the client will detect that the protocol is wrong, and stop doing EAP-TLS... and not get on the network.
>
>> but in this case ocsp never execute if check-eap-tls success.
>> any ideas?
>
>    If you bypass all of EAP-TLS by forcing Access-Accept, then yes... the EAP-TLS checks will not be run.
>
>    Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>


More information about the Freeradius-Users mailing list