Troubleshooting EAP-TLS with External Certificates
Matthew West
matthew.t.west at gmail.com
Thu Sep 15 18:38:25 CEST 2016
Hi Stefan, Matthew, and All,
> # As part of checking a client certificate, the EAP-TLS
> # sets some attributes such as TLS-Client-Cert-CN. This
> # virtual server has access to these attributes, and can
> # be used to accept or reject the request.
> #
> # virtual_server = check-eap-tls
>
> That pretty much gives it away :-)
:D Yes, that's what led me to check-eap-tls, but that file also says
it can be handled in raddb/mods-available/eap. FR seems very flexible
and programmer friendly. I'm just a lowly network guy, though I had
enough programming in my CS undergrad to get dirty and mess stuff up.
;)
> It's been a long time since I wrote that, but from memory I can't
> think of any reason why it wouldn't. The whole point of it is to
> check the client's cert, not the root/intermediates.
Yes, that would make sense and what the server seems to be doing.
> It's all in the unlang man page. Use a regex.
OK, I was looking at the freeradius/networkradius wikis, I didn't know
there was a man page for that. Thank you!
> something more like
> if (&TLS-Client-Cert-Subject =~ /[@\.]acme.com$/) {
> update config {
> use "update control". "config" is obsolete.
Great, I have some resources locally that can help me troubleshoot the
specifics of the regex.
> I would do it the other way around.
>
> update control {
> Auth-Type := Reject
> }
>
> if (&TLS-Client-Cert-Subject =~ /[@\.]acme.com$/) {
> update control {
> Auth-Type := Accept
Will the process run through the whole virtual server file before
returning the Auth-Type? Is that why one can set an accept after a
reject?
Thank you all again for helping me learn more about FreeRADIUS. I
promise I spend at least a couple hours going through documentation
before posting here; I respect your time and knowledge.
Thank You,
Matthew West
On Thu, Sep 15, 2016 at 2:50 AM, Matthew Newton <mcn4 at leicester.ac.uk> wrote:
> On Wed, Sep 14, 2016 at 04:01:46PM -0700, Matthew West wrote:
>> /etc/raddb/sites-available/check-eap-tls appears to be the correct
>> virtual server to do the check.
>
> Yes.
>
>> The information I am looking to check against is in the value-pair:
>> TLS-Client-Cert-Subject. When checking the debug, I found the
>> information I'm looking for at chain-depth=0 in the chain (the first
>> two certs are the primary CA and intermediate CA). Will check-eap-tls
>> use the information at chain-depth=0?
>
> It's been a long time since I wrote that, but from memory I can't
> think of any reason why it wouldn't. The whole point of it is to
> check the client's cert, not the root/intermediates.
>
> Use
>
> debug_request
>
> to see what attributes you can check.
>
>
>> I would like to check the subject only for the inclusion of our
>> domain, acmetech.com, but am new to string manipulation using unlang.
>> I would like the function to work as following, but don't have the
>> syntax correct.
>
> It's all in the unlang man page. Use a regex.
>
>> if ("%{TLS-Client-Cert-Subject}" == (* + "acme.com") {
>
> something more like
>
> if (&TLS-Client-Cert-Subject =~ /[@\.]acme.com$/) {
>
>> update config {
>
> use "update control". "config" is obsolete.
>
>> Auth-Type := Accept
>> }
>> }
>> else {
>> update config {
>> Auth-Type := Reject
>> }
>> update reply {
>> Reply-Message := "Your certificate is not valid."
>> }
>
> This won't ever get seen by the client, so probably isn't worth
> doing.
>
>> }
>
>
> I would do it the other way around.
>
> update control {
> Auth-Type := Reject
> }
>
> if (&TLS-Client-Cert-Subject =~ /[@\.]acme.com$/) {
> update control {
> Auth-Type := Accept
> }
> }
>
> Matthew
>
>
>
> --
> Matthew Newton, Ph.D. <mcn4 at leicester.ac.uk>
>
> Systems Specialist, Infrastructure Services,
> I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
>
> For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list