How to check the Extended Key Usage in freeradius?

Alan DeKok aland at deployingradius.com
Mon Feb 13 12:14:31 UTC 2023 

On Feb 13, 2023, at 5:08 AM, Dentzer, Daniel <Dentzer at cpa.de> wrote:
> 
> I'm configuring a freeradius server for authenticating Wifi clients with EAP-TLS.
> The solution should check certificates with EAP-TLS and everything is working fine, but checking the "extended key usage" to reply with a specific VLAN is not working as expected.

  The debug output prints out everything it's doing.  Read it carefully.

> So in my site config I have:

  Configuration doesn't matter.

> In the log I see that the Attribute is in the tls-cert:
> freeradius | (342) eap_tls:   TLS-Client-Cert-Subject-Alt-Name-Dns := "user.XY.xxxxx.de"
> freeradius | (342) eap_tls:   TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web Client Authentication, 1.3.6.1.4.1.311.21.8.16510850.12376249.15288979.13711710.10124257.18.15210945.7"
> freeradius | (342) eap_tls:   TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "1.3.6.1.5.5.7.3.2"
> freeradius | (342) eap_tls:   TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "1.3.6.1.4.1.311.21.8.16510850.12376249.15288979.13711710.10124257.18.15210945.2"

  Packet 342.

> But when I scroll down, I see that the result of the if-check is false:
> ...
> freeradius | (343)       if (TLS-Client-Cert-X509v3-Extended-Key-Usage-OID == "1.3.6.1.4.1.311.21.8.16510850.12376249.15288979.13711710.10124257.18.15380538.1") {
> freeradius | (343)       if (TLS-Client-Cert-X509v3-Extended-Key-Usage-OID == "1.3.6.1.4.1.311.21.8.16510850.12376249.15288979.13711710.10124257.18.15380538.1")  -> FALSE

  Packet 343.

  These are different packets, with different contents.

  The server saves the TLS certificate data in the session-state list.  So do:

	if (&session-state.TLS-Client-Cert-X509v3-Extended-Key-Usage-OID == ...

  That should work.

  See also raddb/policy.d/debug.  You can use the policies there to print out the contents of the various lists.  i.e.

	debug_session_state
	if (&session-state.TLS-Client-Cert-X509v3-Extended-Key-Usage-OID == ...

  That tells you exactly what's in the list, and whether or not the "if" condition will pass.

  Alan DeKok.

More information about the Freeradius-Users mailing list