v4: Can't see TLS certificate fields from `send Access-Accept` section anymore
Nick Bogdanov
nickrbogdanov at gmail.com
Wed Feb 17 03:22:30 CET 2021
I am using EAP-TLS authentication and trying to read the
%{session-state.TLS-Client-Cert-Subject} attribute in order to set the
reply.Tunnel-Private-Group-Id field. In v3 I could just add this to
my post-auth section:
if (TLS-Client-Cert-Subject =~ /\/OU=VLAN 1\//) {
update reply {
&Tunnel-Private-Group-Id = "1"
}
}
In v4 I can see the cert fields in the `recv Access-Request` section
(after setting `virtual_server = default` in mods-available/eap) but
they are all empty when I try to read them from the `send
Access-Accept` section. In fact, if I uncomment these sections from
the default config, the fields are all empty too:
# update reply {
# &Reply-Message += "%{session-state.TLS-Cert-Serial}"
# &Reply-Message += "%{session-state.TLS-Cert-Expiration}"
# &Reply-Message += "%{session-state.TLS-Cert-Subject}"
# &Reply-Message += "%{session-state.TLS-Cert-Issuer}"
# &Reply-Message += "%{session-state.TLS-Cert-Common-Name}"
# &Reply-Message += "%{session-state.TLS-Cert-Subject-Alt-Name-Email}"
#
# &Reply-Message += "%{session-state.TLS-Client-Cert-Serial}"
# &Reply-Message += "%{session-state.TLS-Client-Cert-Expiration}"
# &Reply-Message += "%{session-state.TLS-Client-Cert-Subject}"
# &Reply-Message += "%{session-state.TLS-Client-Cert-Issuer}"
# &Reply-Message += "%{session-state.TLS-Client-Cert-Common-Name}"
# &Reply-Message += "%{session-state.TLS-Client-Cert-Subject-Alt-Name-Email}"
# }
The log says:
(15,8) update reply {
(15,8) EXPAND %{session-state.TLS-Cert-Serial}
(15,8) --> (null)
(15,8) EXPAND %{session-state.TLS-Cert-Expiration}
(15,8) --> (null)
(15,8) EXPAND %{session-state.TLS-Cert-Subject}
(15,8) --> (null)
(15,8) EXPAND %{session-state.TLS-Cert-Issuer}
(15,8) --> (null)
(15,8) EXPAND %{session-state.TLS-Cert-Common-Name}
(15,8) --> (null)
(15,8) EXPAND %{session-state.TLS-Cert-Subject-Alt-Name-Email}
(15,8) --> (null)
(15,8) EXPAND %{session-state.TLS-Client-Cert-Serial}
(15,8) --> (null)
(15,8) EXPAND %{session-state.TLS-Client-Cert-Expiration}
(15,8) --> (null)
(15,8) EXPAND %{session-state.TLS-Client-Cert-Subject}
(15,8) --> (null)
(15,8) EXPAND %{session-state.TLS-Client-Cert-Issuer}
(15,8) --> (null)
(15,8) EXPAND %{session-state.TLS-Client-Cert-Common-Name}
(15,8) --> (null)
(15,8) EXPAND %{session-state.TLS-Client-Cert-Subject-Alt-Name-Email}
(15,8) --> (null)
(15,8) &Reply-Message += ""
(15,8) &Reply-Message += ""
(15,8) &Reply-Message += ""
(15,8) &Reply-Message += ""
(15,8) &Reply-Message += ""
(15,8) &Reply-Message += ""
(15,8) &Reply-Message += ""
(15,8) &Reply-Message += ""
(15,8) &Reply-Message += ""
(15,8) &Reply-Message += ""
(15,8) &Reply-Message += ""
(15,8) &Reply-Message += ""
(15,8) } # update reply (noop)
I am running git rev 89b77dc09571cb4ac3cd4d639aee6c17bea23182, built
from source. I saw something in upgrade.adoc about using the `filter`
directive but it wasn't clear to me what that meant. Am I missing
something simple or is this a bug?
More information about the Freeradius-Users
mailing list