Troubleshooting EAP-TLS with External Certificates

[Matthew West]

Hi Alan (sorry, called you Alex!),

Looks like that did the trick.  Much thanks to Matthew for the RegEx,
passed it along to a dev here and confirmed that's what we want.  See
success below.

Off to learning CRLs and removing all non-EAP-TLS authentication
mechanisms.  After that, I should have the server functioning the way
that was requested of me.

Thank you all for helping me along.

Take Care,

Matthew

---

(9)  # Executing section authorize from file
/etc/raddb/sites-enabled/check-eap-tls
(9)    authorize {
(9)    update control {
(9)   Auth-Type := Reject
(9)    } # update control = noop
(9)     if (&TLS-Client-Cert-Subject =~ /[@\.]acme.com$/)
(9)     if (&TLS-Client-Cert-Subject =~ /[@\.]acme.com$/) -> TRUE
(9)    if (&TLS-Client-Cert-Subject =~ /[@\.]acme.com$/) {
(9)     update control {
(9)   Auth-Type := Accept
(9)     } # update control = noop
(9)    } # if (&TLS-Client-Cert-Subject =~ /[@\.]acme.com$/) = noop
(9)   auth_log : EXPAND
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(9)   auth_log :    -->
/var/log/radius/radacct/10.XX.XX.123/auth-detail-20160915
(9)   auth_log :
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/10.XX.XX.123/auth-detail-20160915
(9)   auth_log : EXPAND %t
(9)   auth_log :    --> Thu Sep 15 14:31:48 2016
(9)    [auth_log] = ok
(9)   } #  authorize = ok
(9)  Found Auth-Type = Accept
(9)  Auth-Type = Accept, accepting the user
(9)    Reply:
(9)  } # server check-eap-tls
(9)  eap_tls : Saving session
6ab28a6057925904eb95751778913a2f16f0ebe38f6e4d4d2699a5731696f1b6 vps
0x7fad652e3110 in the cache
(9)  eap : Freeing handler
(9)   [eap] = ok
(9)  } #  authenticate = ok


On Thu, Sep 15, 2016 at 1:50 PM, Matthew West <matthew.t.west at gmail.com> wrote:
> Hi Alex,
>
>> if you read mods-enabled/eap you'll go to the  tls {} section and see the bit that says
>>
>>               #
>>                 # As part of checking a client certificate, the EAP-TLS
>>                 # sets some attributes such as TLS-Client-Cert-CN. This
>>                # virtual server has access to these attributes, and can
>>                # be used to accept or reject the request.
>>                #
>>        #       virtual_server = check-eap-tls
>
> *blushes*  I don't know how I missed that!
>
> Thank you!  Back to testing.
>
> Matthew
>
>
>
> On Thu, Sep 15, 2016 at 1:31 PM,  <A.L.M.Buxey at lboro.ac.uk> wrote:
>> Hi,
>>
>>> I've placed a symlink in /etc/raddb/sites-enabled to
>>> /etc/raddb/sites-available for the check-eap-tls virtual server.
>>
>> aye...but the server needs to know to send the packet to it....so you need to configure
>> the eap module appropriately,.
>>
>> if you read mods-enabled/eap you'll go to the  tls {} section and see the bit that says
>>
>>                 #
>>                 # As part of checking a client certificate, the EAP-TLS
>>                 # sets some attributes such as TLS-Client-Cert-CN. This
>>                 # virtual server has access to these attributes, and can
>>                 # be used to accept or reject the request.
>>                 #
>>         #       virtual_server = check-eap-tls
>>
>>>   eap {
>> <snip>
>>
>>>    # Linked to sub-module rlm_eap_tls
>>>    tls {
>>>     tls = "tls-common"
>>>    }
>>
>> <snip>
>>
>>
>>
>> uncomment.
>>
>> enjoy
>>
>>
>> alan
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html