Troubleshooting EAP-TLS with External Certificates
Matthew Newton
mcn4 at leicester.ac.uk
Thu Sep 15 11:50:53 CEST 2016
On Wed, Sep 14, 2016 at 04:01:46PM -0700, Matthew West wrote:
> /etc/raddb/sites-available/check-eap-tls appears to be the correct
> virtual server to do the check.
Yes.
> The information I am looking to check against is in the value-pair:
> TLS-Client-Cert-Subject. When checking the debug, I found the
> information I'm looking for at chain-depth=0 in the chain (the first
> two certs are the primary CA and intermediate CA). Will check-eap-tls
> use the information at chain-depth=0?
It's been a long time since I wrote that, but from memory I can't
think of any reason why it wouldn't. The whole point of it is to
check the client's cert, not the root/intermediates.
Use
debug_request
to see what attributes you can check.
> I would like to check the subject only for the inclusion of our
> domain, acmetech.com, but am new to string manipulation using unlang.
> I would like the function to work as following, but don't have the
> syntax correct.
It's all in the unlang man page. Use a regex.
> if ("%{TLS-Client-Cert-Subject}" == (* + "acme.com") {
something more like
if (&TLS-Client-Cert-Subject =~ /[@\.]acme.com$/) {
> update config {
use "update control". "config" is obsolete.
> Auth-Type := Accept
> }
> }
> else {
> update config {
> Auth-Type := Reject
> }
> update reply {
> Reply-Message := "Your certificate is not valid."
> }
This won't ever get seen by the client, so probably isn't worth
doing.
> }
I would do it the other way around.
update control {
Auth-Type := Reject
}
if (&TLS-Client-Cert-Subject =~ /[@\.]acme.com$/) {
update control {
Auth-Type := Accept
}
}
Matthew
--
Matthew Newton, Ph.D. <mcn4 at leicester.ac.uk>
Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
More information about the Freeradius-Users
mailing list