A few questions about radsec
work vlpl
thework.vlpl at gmail.com
Mon Feb 18 18:31:54 CET 2019
On Sat, 16 Feb 2019 at 03:33, Alan DeKok <aland at deployingradius.com> wrote:
> > I'm interested in radius clients identification. Is it possible to get
> > radius client id in radius config section that support unlang? For
> > example CN or fingerprint from radius client certificate, like its by
> > done for EAP-TLS request.
>
> Yes. See the GitHub issue Brian pointed you to. I'll go update the documentation in the virtual server.
Thank you for answers.
I have one problem left - can't figure out how to access to
%{listen:...} strings.
In virtual site configuration that referenced in `tls` file I added
these strings
``
authorize {
%{listen:TLS-Client-Cert-Common-Name}
%{listen:TLS-Client-Cert-CN}
%{listen:TLS-Client-Cert-Subject}
%{listen:TLS-Client-Cert-Subject-Alt-Name-Dns}
...
```
In debug output I see this
```
Waking up in 29.4 seconds.
(0) Application data status 7
(0) tls_recv: Access-Request packet from host 172.20.0.1 port 42601,
id=1, length=118
Threads: total/active/spare threads = 5/0/5
Waking up in 0.3 seconds.
Thread 4 got semaphore
Thread 4 handling request 0, (1 handled so far)
(0) Received Access-Request Id 1 from 172.20.0.1:42601 to 0.0.0.0:2083
length 118
(0) User-Name = "testing"
(0) NAS-Identifier = "foo"
(0) Called-Station-Id = "testid"
(0) MS-CHAP-Challenge = 0x716a0175a2d80c7d
(0) MS-CHAP-Response =
0x00010000000000000000000000000000000000000000000000005a24ab85f026fae15e930276c4129556fc5e9c355ec01735
(0) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/testing-stie
(0) authorize {
(0) Listener does not contain config item "TLS-Client-Cert-Common-Name"
(0) EXPAND %{listen:TLS-Client-Cert-Common-Name}
(0) -->
(0) Listener does not contain config item "TLS-Client-Cert-CN"
(0) EXPAND %{listen:TLS-Client-Cert-CN}
(0) -->
(0) Listener does not contain config item "TLS-Client-Cert-Subject"
(0) EXPAND %{listen:TLS-Client-Cert-Subject}
(0) -->
(0) Listener does not contain config item
"TLS-Client-Cert-Subject-Alt-Name-Dns"
(0) EXPAND %{listen:TLS-Client-Cert-Subject-Alt-Name-Dns}
(0) -->
```
Certificate that is used by radsecproxy has values for CN
`Subject: C = GB, ST = England, O = First CA, CN = radsecclient.local`
What I do wrong?
More information about the Freeradius-Users
mailing list