Checking certificate client policies for RadSec connection

Arnaud LAURIOU arnaud.lauriou at renater.fr
Tue Aug 17 16:23:46 CEST 2021



On 8/17/21 3:13 PM, Alan DeKok wrote:
> On Aug 17, 2021, at 9:01 AM, Arnaud LAURIOU <arnaud.lauriou at renater.fr> wrote:
>
>> In debug mode (FR 3.0.23), I can't find these policies in the attributes list created from the
>> client certificate.
>    You will need to add a dictionary item for them.  Only a few X509 attributes are currently defined:
>
> $ git grep -i x509 share/
> share/dictionary.freeradius.internal:ATTRIBUTE  TLS-Client-Cert-X509v3-Extended-Key-Usage 1927  string
> share/dictionary.freeradius.internal:ATTRIBUTE  TLS-Client-Cert-X509v3-Subject-Key-Identifier 1928      string
> share/dictionary.freeradius.internal:ATTRIBUTE  TLS-Client-Cert-X509v3-Authority-Key-Identifier 1929    string
> share/dictionary.freeradius.internal:ATTRIBUTE  TLS-Client-Cert-X509v3-Basic-Constraints 1930   string
> share/dictionary.freeradius.internal:ATTRIBUTE  TLS-Client-Cert-X509v3-Extended-Key-Usage-OID 1936      string
>
>    Run the server in debug mode (-Xx) to see messages like:
>
> 	Skipping TLS-Client-Cert-X509-Bar += 'foo'.  Please check that both the attribute and value are defined in the dictionaries
>
>    That gives you the name to use.  Then, just add the new attribute to raddb/dictionary
Right, got it.
Now where can I check its value ?
In 'Autz-Type New-TLS-Connection' with check_client_connections ?

Regards



More information about the Freeradius-Users mailing list