Checking certificate client policies for RadSec connection
Alan DeKok
aland at deployingradius.com
Tue Aug 17 15:13:53 CEST 2021
On Aug 17, 2021, at 9:01 AM, Arnaud LAURIOU <arnaud.lauriou at renater.fr> wrote:
> We are currently checking certificate policy (X509v3 Certificate Policies) of our RadSec clients
> with an external command : 'openssl verify -policy_check ...'
>
> Can we check these policies directly in FR, without an external command ?
Yes.
> In debug mode (FR 3.0.23), I can't find these policies in the attributes list created from the
> client certificate.
You will need to add a dictionary item for them. Only a few X509 attributes are currently defined:
$ git grep -i x509 share/
share/dictionary.freeradius.internal:ATTRIBUTE TLS-Client-Cert-X509v3-Extended-Key-Usage 1927 string
share/dictionary.freeradius.internal:ATTRIBUTE TLS-Client-Cert-X509v3-Subject-Key-Identifier 1928 string
share/dictionary.freeradius.internal:ATTRIBUTE TLS-Client-Cert-X509v3-Authority-Key-Identifier 1929 string
share/dictionary.freeradius.internal:ATTRIBUTE TLS-Client-Cert-X509v3-Basic-Constraints 1930 string
share/dictionary.freeradius.internal:ATTRIBUTE TLS-Client-Cert-X509v3-Extended-Key-Usage-OID 1936 string
Run the server in debug mode (-Xx) to see messages like:
Skipping TLS-Client-Cert-X509-Bar += 'foo'. Please check that both the attribute and value are defined in the dictionaries
That gives you the name to use. Then, just add the new attribute to raddb/dictionary
Alan DeKok.
More information about the Freeradius-Users
mailing list