v4: Can't see TLS certificate fields from `send Access-Accept` section anymore
Alan DeKok
aland at deployingradius.com
Wed Feb 17 03:51:29 CET 2021
On Feb 16, 2021, at 9:22 PM, Nick Bogdanov <nickrbogdanov at gmail.com> wrote:
>
> I am using EAP-TLS authentication and trying to read the
> %{session-state.TLS-Client-Cert-Subject} attribute in order to set the
> reply.Tunnel-Private-Group-Id field. In v3 I could just add this to
> my post-auth section:
To be honest... v4 is under major development. We do have tests for all kinds of things. But not everything works the same as in v3, and not everything is finished. So it's "buyer beware".
> if (TLS-Client-Cert-Subject =~ /\/OU=VLAN 1\//) {
> update reply {
> &Tunnel-Private-Group-Id = "1"
> }
> }
>
> In v4 I can see the cert fields in the `recv Access-Request` section
> (after setting `virtual_server = default` in mods-available/eap) but
> they are all empty when I try to read them from the `send
> Access-Accept` section. In fact, if I uncomment these sections from
> the default config, the fields are all empty too:
Look at the debug output. You should be able to see when these attributes are added (or not).
For example, I see:
(6.0) eap.tls - Continuing EAP-TLS
(6.0) eap.tls - Got final TLS record fragment (1383 bytes)
(6.0) eap.tls - [eap-tls verify] = complete
(6.0) eap.tls - Handshake state - Server SSLv3/TLS write server done (26)
(6.0) eap.tls - <<< recv TLS 1.2, handshake[length 2381], unknown_handshake_type_0x000b
(6.0) eap.tls - Adding certificate attributes to session-state
(6.0) eap.tls - &session-state.TLS-Client-Cert-Serial = "03"
(6.0) eap.tls - &session-state.TLS-Client-Cert-Expiration = "Feb 6 1970 11:23:13 UTC"
> I am running git rev 89b77dc09571cb4ac3cd4d639aee6c17bea23182, built
> from source. I saw something in upgrade.adoc about using the `filter`
> directive but it wasn't clear to me what that meant.
See:
doc/antora/modules/reference/pages/unlang/filter.adoc
doc/antora/modules/reference/pages/unlang/update.adoc
In v4, this is *extensively* documented.
> Am I missing
> something simple or is this a bug?
It's not clear. The full debug output should help.
Alan DeKok.
More information about the Freeradius-Users
mailing list