Authentication issues
Alan DeKok
aland at deployingradius.com
Tue Jun 28 12:01:17 UTC 2022
On Jun 27, 2022, at 9:51 AM, David le Roux <david.leroux at miller.co.uk> wrote:
> That's because when I put the unlang script above I get the following error in journalctl -xe
All of the documentation says to test with "radiusd -X" (or freeradius-X). Because that gives much more information than some random log file.
> /etc/freeradius/3.0/sites-enabled/mh-site[27]: Unknown attribute 'Cert-CN'
Yes, you can't just invent things and have them work. The server uses pre-defined dictionaries of named attributes.
Happily, you can also define new attributes. Edit /etc/freeradius/3.0/dictionary, and add:
ATTRIBUTE Cert-CN 3000 string
and it will be define, and it will work.
> I was under the impression that the previous error:
>
>>> tls: Certificate CN (mh300416.millerextra.com) does not match specified value (host/mh300416.millerextra.com)!
>>> (8) eap_tls: >>> send TLS 1.2 [length 0002]
>>> (8) eap_tls: ERROR: TLS Alert write:fatal:internal error
>>> tls: TLS_accept: Error in error
>
> Required modifying the username to match the certificate?
No. The error came because you modified the User-Name, and the modified version didn't match the certificate.
>> Instead, add a Cert-CN, and then modify the "eap" module to check for Cert-CN, and then User-Name:
>>
>> check_cert_cn = %{%{Cert-CN}:-%{User-Name}}
>
> I've added that, but the error message before adding that and after are the same.
Define the Cert-CN attribute as described above. And add a Cert-Cn in the "update" section, instead of over-writing User-Name. It will work.
Alan DeKok.
More information about the Freeradius-Users
mailing list