How to check the Extended Key Usage in freeradius?
Dentzer, Daniel
Dentzer at cpa.de
Mon Feb 13 10:08:28 UTC 2023
I'm configuring a freeradius server for authenticating Wifi clients with EAP-TLS.
The solution should check certificates with EAP-TLS and everything is working fine, but checking the "extended key usage" to reply with a specific VLAN is not working as expected.
So in my site config I have:
if (TLS-Client-Cert-Issuer == "/DC=de/DC=xxxxx/CN=XXX Sub CA" && TLS-Client-Cert-Subject-Alt-Name-Dns =~ /\.XY\.xxxxx\.de$/){
if(TLS-Client-Cert-X509v3-Extended-Key-Usage-OID == "1.3.6.1.4.1.311.21.8.16510850.12376249.15288979.13711710.10124257.18.15380538.1") {
update reply {
&Tunnel-Type = 13,
&Tunnel-Medium-Type = 6,
&Tunnel-Private-Group-Id = "1"
}
}
if(TLS-Client-Cert-X509v3-Extended-Key-Usage-OID == "1.3.6.1.4.1.311.21.8.16510850.12376249.15288979.13711710.10124257.18.15210945.2") {
update reply {
&Tunnel-Type = 13,
&Tunnel-Medium-Type = 6,
&Tunnel-Private-Group-Id = "2"
}
}
} elsif (TLS-Client-Cert-Issuer == "/DC=de/DC=xxxxx/CN=XXX Sub CA" && TLS-Client-Cert-Subject-Alt-Name-Dns =~ /\.XYZ\.xxxxx\.de$/) {
if(TLS-Client-Cert-X509v3-Extended-Key-Usage-OID == "1.3.6.1.4.1.311.21.8.16510850.12376249.15288979.13711710.10124257.18.16530950.3") {
update reply {
&Tunnel-Type = 13,
&Tunnel-Medium-Type = 6,
&Tunnel-Private-Group-Id = "3"
}
}
} else {
update reply {
Reply-Message := "Certificate Extended-Key-Usage with wrong or missing Group."
Auth-Type := Reject
}
reject
}
In the log I see that the Attribute is in the tls-cert:
freeradius | (342) eap_tls: TLS-Client-Cert-Subject-Alt-Name-Dns := "user.XY.xxxxx.de"
freeradius | (342) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web Client Authentication, 1.3.6.1.4.1.311.21.8.16510850.12376249.15288979.13711710.10124257.18.15210945.7"
freeradius | (342) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "1.3.6.1.5.5.7.3.2"
freeradius | (342) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "1.3.6.1.4.1.311.21.8.16510850.12376249.15288979.13711710.10124257.18.15210945.2"
But when I scroll down, I see that the result of the if-check is false:
freeradius | (343) if (TLS-Client-Cert-Issuer == "/DC=de/DC=xxxxx/CN=XXX Sub CA" && TLS-Client-Cert-Subject-Alt-Name-Dns =~ /\.XY\.xxxxx\.de$/){
freeradius | (343) if (TLS-Client-Cert-Issuer == "/DC=de/DC=xxxxx/CN=XXX Sub CA" && TLS-Client-Cert-Subject-Alt-Name-Dns =~ /\.XY\.xxxxx\.de$/) -> TRUE
freeradius | (343) if (TLS-Client-Cert-Issuer == "/DC=de/DC=xxxxx/CN=XXX Sub CA" && TLS-Client-Cert-Subject-Alt-Name-Dns =~ /\.XY\.xxxxx\.de$/) {
freeradius | (343) if (TLS-Client-Cert-X509v3-Extended-Key-Usage-OID == "1.3.6.1.4.1.311.21.8.16510850.12376249.15288979.13711710.10124257.18.15380538.1") {
freeradius | (343) if (TLS-Client-Cert-X509v3-Extended-Key-Usage-OID == "1.3.6.1.4.1.311.21.8.16510850.12376249.15288979.13711710.10124257.18.15380538.1") -> FALSE
freeradius | (343) if (TLS-Client-Cert-X509v3-Extended-Key-Usage-OID == "1.3.6.1.4.1.311.21.8.16510850.12376249.15288979.13711710.10124257.18.15210945.2") {
freeradius | (343) if (TLS-Client-Cert-X509v3-Extended-Key-Usage-OID == "1.3.6.1.4.1.311.21.8.16510850.12376249.15288979.13711710.10124257.18.15210945.2") -> FALSE ### This should be TRUE ###
freeradius | (343) } # if (TLS-Client-Cert-Issuer == "/DC=de/DC=xxxxx/CN=XXX Sub CA" && TLS-Client-Cert-Subject-Alt-Name-Dns =~ /\.XY\.xxxxx\.de$/) = noop
TLS-Client-Cert-X509v3-Extended-Key-Usage-OID is a list, do I have to check it in a different way?
Thanks in advance.
Daniel
More information about the Freeradius-Users
mailing list