How to check the Extended Key Usage in freeradius?
Dentzer, Daniel
Dentzer at cpa.de
Mon Feb 27 09:18:08 UTC 2023
> The server saves the TLS certificate data in the session-state list. So do:
>
> if (&session-state.TLS-Client-Cert-X509v3-Extended-Key-Usage-OID == ...
>
> That should work.
It seems that this doesn't work for me.
In the session-state is only TLS-Session-Information, TLS-Session-Cipher-Suite, TLS-Session-Version.
But it seems I can work directly with TLS-Client-Cert-Issuer and TLS-Client-Cert-Subject-Alt-Name-Dns, but not with TLS-Client-Cert-X509v3-Extended-Key-Usage-OID.
Is there a way to get TLS-Client-Cert-X509v3-Extended-Key-Usage-OID
- in the session-state
(see below ' (11) policy debug_session_state {')
Or
- like TLS-Client-Cert-Issuer to use it directly
(see below '(11) if (TLS-Client-Cert-Issuer == "/DC=org/DC=example/CN=XY Sub CA") -> TRUE')?
LOG:
freeradius | (10) Received Access-Request Id 135 from 10.1.100.55:55713 to 10.0.118.207:1812 length 873
freeradius | (10) User-Name = "host/host1.XY.example.org"
freeradius | (10) NAS-IP-Address = 10.1.100.55
freeradius | (10) NAS-Identifier = "6ad79a35b543"
freeradius | (10) Called-Station-Id = "6A-D7-9A-35-B5-43:XY"
freeradius | (10) NAS-Port-Type = Wireless-802.11
freeradius | (10) Service-Type = Framed-User
freeradius | (10) Calling-Station-Id = "14-5A-FC-11-0C-55"
freeradius | (10) Connect-Info = "CONNECT 0Mbps 802.11a"
freeradius | (10) Acct-Session-Id = "131C98E526D732C9"
freeradius | (10) Acct-Multi-Session-Id = "21DF24B695731162"
freeradius | (10) WLAN-Pairwise-Cipher = 1027076
freeradius | (10) WLAN-Group-Cipher = 1027076
freeradius | (10) WLAN-AKM-Suite = 1027073
freeradius | (10) Framed-MTU = 1400
freeradius | (10) EAP-Message = 0x02f802650d008913236f1da4d0f24ae5fd76c1363e401da385917ea16dcc91b4c99e1d5fcc0ba0eb9490989acb360187643386d3bac082a8771891a9f52811bf19fa628a0ee25568a822d36324c2f27890f954ff86b657b1fc5a10319d101ab15f68f7c9911e5f2252d382360caae495439a174933a31f8e65d475d4adb7835b573f6165226fe068ccb63ccd61eaf0a74b4f3095e7294ad742444ead3c73812138f5b41438e1b47b27efb3af9de677fd78053a0a6c499327f01839fbb9e7df5a669ed1e01a86594eeb72e8dba40b4d76f6c84f4a26872039872ef2dccbbf54aa42956776100000424104b95329b6826c47555335c7092e25dfaac53b91f4220ab8fe98539c708d11dfb2f693f58df950c3d233519e8a338ebcb1aab80363b766b2bbd8bfdf01e8e12b000f0001040804010019d12737c08a55927012807b024877904354ad2eeb688f37268da26fb12d0404751cb47faad165aa1973425fe386f7f963e8d30b224f568e0eb79dc2f37fdff301124cea5c
freeradius | (10) State = 0x67e882426e108fb8e89303b497b5b384
freeradius | (10) Message-Authenticator = 0x5807b7f924014bf2437feee3473554e1
freeradius | (10) Restoring &session-state
freeradius | (10) &session-state:Framed-MTU = 1014
freeradius | (10) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
freeradius | (10) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
freeradius | (10) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
freeradius | (10) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
freeradius | (10) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest"
freeradius | (10) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
freeradius | (10) # Executing section authorize from file /etc/raddb/sites-enabled/site
freeradius | (10) authorize {
freeradius | (10) policy filter_username {
freeradius | (10) if (&User-Name) {
freeradius | (10) if (&User-Name) -> TRUE
freeradius | (10) if (&User-Name) {
freeradius | (10) if (&User-Name =~ / /) {
freeradius | (10) if (&User-Name =~ / /) -> FALSE
freeradius | (10) if (&User-Name =~ /@[^@]*@/ ) {
freeradius | (10) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
freeradius | (10) if (&User-Name =~ /\.\./ ) {
freeradius | (10) if (&User-Name =~ /\.\./ ) -> FALSE
freeradius | (10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
freeradius | (10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
freeradius | (10) if (&User-Name =~ /\.$/) {
freeradius | (10) if (&User-Name =~ /\.$/) -> FALSE
freeradius | (10) if (&User-Name =~ /@\./) {
freeradius | (10) if (&User-Name =~ /@\./) -> FALSE
freeradius | (10) } # if (&User-Name) = notfound
freeradius | (10) } # policy filter_username = notfound
freeradius | (10) [preprocess] = ok
freeradius | (10) eap: Peer sent EAP Response (code 2) ID 248 length 613
freeradius | (10) eap: No EAP Start, assuming it's an on-going EAP conversation
freeradius | (10) [eap] = updated
freeradius | (10) [expiration] = noop
freeradius | (10) [logintime] = noop
freeradius | (10) } # authorize = updated
freeradius | (10) Found Auth-Type = eap
freeradius | (10) # Executing group from file /etc/raddb/sites-enabled/site
freeradius | (10) authenticate {
freeradius | (10) eap: Expiring EAP session with state 0x67e882426e108fb8
freeradius | (10) eap: Finished EAP session with state 0x67e882426e108fb8
freeradius | (10) eap: Previous EAP request found for state 0x67e882426e108fb8, released from the list
freeradius | (10) eap: Peer sent packet with method EAP TLS (13)
freeradius | (10) eap: Calling submodule eap_tls to process data
freeradius | (10) eap_tls: (TLS) EAP Got final fragment (607 bytes)
freeradius | (10) eap_tls: (TLS) EAP Done initial handshake
freeradius | (10) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write server done
freeradius | (10) eap_tls: (TLS) recv TLS 1.2 Handshake, Certificate
freeradius | (10) eap_tls: (TLS) Creating attributes from TLS-Client-Cert-Serial certificate
freeradius | (10) eap_tls: (TLS) Creating attributes from server certificate
freeradius | (10) eap_tls: TLS-Cert-Serial := "1400000002219c173715ec84d9000000000002"
freeradius | (10) eap_tls: TLS-Cert-Expiration := "20511007092213Z"
freeradius | (10) eap_tls: TLS-Cert-Valid-Since := "211007115340Z"
freeradius | (10) eap_tls: TLS-Cert-Subject := "/DC=org/DC=example/CN=XY Sub CA"
freeradius | (10) eap_tls: TLS-Cert-Issuer := "/C=xxx/ST=xxx/L=xxx/O=xxx/CN=XY Root CA"
freeradius | (10) eap_tls: TLS-Cert-Common-Name := "XY Sub CA"
freeradius | (10) eap_tls: (TLS) Creating attributes from client certificate
freeradius | (10) eap_tls: TLS-Client-Cert-Serial := "16000028666eef874492e150cd000000002866"
freeradius | (10) eap_tls: TLS-Client-Cert-Expiration := "240209105026Z"
freeradius | (10) eap_tls: TLS-Client-Cert-Valid-Since := "230209105026Z"
freeradius | (10) eap_tls: TLS-Client-Cert-Issuer := "/DC=org/DC=example/CN=XY Sub CA"
freeradius | (10) eap_tls: TLS-Client-Cert-Subject-Alt-Name-Dns := "host1.XY.example.org"
freeradius | (10) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web Client Authentication, 1.3.6.1.4.1.311.21.8.16510850.12376249.15288979.13711710.10124257.18.15210945.7"
freeradius | (10) eap_tls: TLS-Client-Cert-X509v3-Subject-Key-Identifier += "29:AC:A7:3F:AD:4D:C1:29:E6:1D:0B:42:B5:69:2B:0C:B2:1E:EB:16"
freeradius | (10) eap_tls: TLS-Client-Cert-X509v3-Authority-Key-Identifier += "keyid:C0:24:69:05:3E:2C:E0:26:AD:85:D9:9E:9D:16:B2:E8:4C:62:81:EC\n"
freeradius | (10) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "1.3.6.1.5.5.7.3.2"
freeradius | (10) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "1.3.6.1.4.1.311.21.8.16510850.12376249.15288979.13711710.10124257.18.15210945.7878633"
freeradius | Certificate chain - 1 cert(s) untrusted
freeradius | (TLS) untrusted certificate with depth [1] subject name /DC=org/DC=example/CN=XY Sub CA
freeradius | (TLS) untrusted certificate with depth [0] subject name
freeradius | (10) eap_tls: Verifying client certificate: /usr/bin/openssl verify -crl_check -CAfile /etc/raddb/certs/ca.crt %{TLS-Client-Cert-Filename}
freeradius | (10) eap_tls: Executing: /usr/bin/openssl verify -crl_check -CAfile /etc/raddb/certs/ca.crt %{TLS-Client-Cert-Filename}:
freeradius | (10) eap_tls: EXPAND %{TLS-Client-Cert-Filename}
freeradius | (10) eap_tls: --> /tmp/radiusd/radiusd.client.XXXCiG1h
freeradius | (10) eap_tls: Program returned code (0) and output '/tmp/radiusd/radiusd.client.XXXCiG1h: OK'
freeradius | (10) eap_tls: Client certificate CN xy Sub CA passed external validation
freeradius | (10) eap_tls: (TLS) Handshake state - Server SSLv3/TLS read client certificate
freeradius | (10) eap_tls: (TLS) recv TLS 1.2 Handshake, ClientKeyExchange
freeradius | (10) eap_tls: (TLS) Handshake state - Server SSLv3/TLS read client key exchange
freeradius | (10) eap_tls: (TLS) recv TLS 1.2 Handshake, CertificateVerify
freeradius | (10) eap_tls: (TLS) Handshake state - Server SSLv3/TLS read certificate verify
freeradius | (10) eap_tls: (TLS) Handshake state - Server SSLv3/TLS read change cipher spec
freeradius | (10) eap_tls: (TLS) recv TLS 1.2 Handshake, Finished
freeradius | (10) eap_tls: (TLS) Handshake state - Server SSLv3/TLS read finished
freeradius | (10) eap_tls: (TLS) send TLS 1.2 ChangeCipherSpec
freeradius | (10) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write change cipher spec
freeradius | (10) eap_tls: (TLS) send TLS 1.2 Handshake, Finished
freeradius | (10) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write finished
freeradius | (10) eap_tls: (TLS) Handshake state - SSL negotiation finished successfully
freeradius | (10) eap_tls: (TLS) Connection Established
freeradius | (10) eap_tls: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
freeradius | (10) eap_tls: TLS-Session-Version = "TLS 1.2"
freeradius | (10) eap: Sending EAP Request (code 1) ID 249 length 61
freeradius | (10) eap: EAP session adding &reply:State = 0x67e882426d118fb8
freeradius | (10) [eap] = handled
freeradius | (10) } # authenticate = handled
freeradius | (10) Using Post-Auth-Type Challenge
freeradius | (10) # Executing group from file /etc/raddb/sites-enabled/site
freeradius | (10) Challenge { ... } # empty sub-section is ignored
freeradius | (10) session-state: Saving cached attributes
freeradius | (10) Framed-MTU = 1014
freeradius | (10) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
freeradius | (10) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
freeradius | (10) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
freeradius | (10) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
freeradius | (10) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest"
freeradius | (10) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
freeradius | (10) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Certificate"
freeradius | (10) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange"
freeradius | (10) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, CertificateVerify"
freeradius | (10) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished"
freeradius | (10) TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec"
freeradius | (10) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished"
freeradius | (10) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
freeradius | (10) TLS-Session-Version = "TLS 1.2"
freeradius | (10) Sent Access-Challenge Id 135 from 10.0.118.207:1812 to 10.1.100.55:55713 length 119
freeradius | (10) EAP-Message = 0x01f9003d0d80000000331403030001011603030028964829c4b1eb2ba97048870d089503fa0d8020f067c7635c0ab47309d02855de782de2d54f0a70f2
freeradius | (10) Message-Authenticator = 0x00000000000000000000000000000000
freeradius | (10) State = 0x67e882426d118fb8e89303b497b5b384
freeradius | (10) Finished request
freeradius | Waking up in 4.8 seconds.
freeradius | (11) Received Access-Request Id 136 from 10.1.100.55:55713 to 10.0.118.207:1812 length 262
freeradius | (11) User-Name = "host/host1.XY.example.org"
freeradius | (11) NAS-IP-Address = 10.1.100.55
freeradius | (11) NAS-Identifier = "6ad79a35b543"
freeradius | (11) Called-Station-Id = "6A-D7-9A-35-B5-43:XY"
freeradius | (11) NAS-Port-Type = Wireless-802.11
freeradius | (11) Service-Type = Framed-User
freeradius | (11) Calling-Station-Id = "14-5A-FC-11-0C-55"
freeradius | (11) Connect-Info = "CONNECT 0Mbps 802.11a"
freeradius | (11) Acct-Session-Id = "131C98E526D732C9"
freeradius | (11) Acct-Multi-Session-Id = "21DF24B695731162"
freeradius | (11) WLAN-Pairwise-Cipher = 1027076
freeradius | (11) WLAN-Group-Cipher = 1027076
freeradius | (11) WLAN-AKM-Suite = 1027073
freeradius | (11) Framed-MTU = 1400
freeradius | (11) EAP-Message = 0x02f900060d00
freeradius | (11) State = 0x67e882426d118fb8e89303b497b5b384
freeradius | (11) Message-Authenticator = 0xa02414c00b4d2d854c32acaf0176ac3d
freeradius | (11) Restoring &session-state
freeradius | (11) &session-state:Framed-MTU = 1014
freeradius | (11) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
freeradius | (11) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
freeradius | (11) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
freeradius | (11) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
freeradius | (11) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest"
freeradius | (11) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
freeradius | (11) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Certificate"
freeradius | (11) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange"
freeradius | (11) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, CertificateVerify"
freeradius | (11) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished"
freeradius | (11) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec"
freeradius | (11) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished"
freeradius | (11) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
freeradius | (11) &session-state:TLS-Session-Version = "TLS 1.2"
freeradius | (11) # Executing section authorize from file /etc/raddb/sites-enabled/site
freeradius | (11) authorize {
freeradius | (11) policy filter_username {
freeradius | (11) if (&User-Name) {
freeradius | (11) if (&User-Name) -> TRUE
freeradius | (11) if (&User-Name) {
freeradius | (11) if (&User-Name =~ / /) {
freeradius | (11) if (&User-Name =~ / /) -> FALSE
freeradius | (11) if (&User-Name =~ /@[^@]*@/ ) {
freeradius | (11) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
freeradius | (11) if (&User-Name =~ /\.\./ ) {
freeradius | (11) if (&User-Name =~ /\.\./ ) -> FALSE
freeradius | (11) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
freeradius | (11) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
freeradius | (11) if (&User-Name =~ /\.$/) {
freeradius | (11) if (&User-Name =~ /\.$/) -> FALSE
freeradius | (11) if (&User-Name =~ /@\./) {
freeradius | (11) if (&User-Name =~ /@\./) -> FALSE
freeradius | (11) } # if (&User-Name) = notfound
freeradius | (11) } # policy filter_username = notfound
freeradius | (11) [preprocess] = ok
freeradius | (11) eap: Peer sent EAP Response (code 2) ID 249 length 6
freeradius | (11) eap: No EAP Start, assuming it's an on-going EAP conversation
freeradius | (11) [eap] = updated
freeradius | (11) [expiration] = noop
freeradius | (11) [logintime] = noop
freeradius | (11) } # authorize = updated
freeradius | (11) Found Auth-Type = eap
freeradius | (11) # Executing group from file /etc/raddb/sites-enabled/site
freeradius | (11) authenticate {
freeradius | (11) eap: Expiring EAP session with state 0x67e882426d118fb8
freeradius | (11) eap: Finished EAP session with state 0x67e882426d118fb8
freeradius | (11) eap: Previous EAP request found for state 0x67e882426d118fb8, released from the list
freeradius | (11) eap: Peer sent packet with method EAP TLS (13)
freeradius | (11) eap: Calling submodule eap_tls to process data
freeradius | (11) eap_tls: (TLS) Peer ACKed our handshake fragment. handshake is finished
freeradius | (11) eap: Sending EAP Success (code 3) ID 249 length 4
freeradius | (11) eap: Freeing handler
freeradius | (11) [eap] = ok
freeradius | (11) } # authenticate = ok
freeradius | (11) # Executing section post-auth from file /etc/raddb/sites-enabled/site
freeradius | (11) post-auth {
freeradius | (11) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) {
freeradius | (11) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) -> FALSE
freeradius | (11) update {
freeradius | (11) &reply::Framed-MTU += &session-state:Framed-MTU[*] -> 1014
freeradius | (11) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) recv TLS 1.3 Handshake, ClientHello'
freeradius | (11) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake, ServerHello'
freeradius | (11) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake, Certificate'
freeradius | (11) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake, ServerKeyExchange'
freeradius | (11) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake, CertificateRequest'
freeradius | (11) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake, ServerHelloDone'
freeradius | (11) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) recv TLS 1.2 Handshake, Certificate'
freeradius | (11) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) recv TLS 1.2 Handshake, ClientKeyExchange'
freeradius | (11) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) recv TLS 1.2 Handshake, CertificateVerify'
freeradius | (11) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) recv TLS 1.2 Handshake, Finished'
freeradius | (11) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 ChangeCipherSpec'
freeradius | (11) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake, Finished'
freeradius | (11) &reply::TLS-Session-Cipher-Suite += &session-state:TLS-Session-Cipher-Suite[*] -> 'ECDHE-RSA-AES256-GCM-SHA384'
freeradius | (11) &reply::TLS-Session-Version += &session-state:TLS-Session-Version[*] -> 'TLS 1.2'
freeradius | (11) } # update = noop
freeradius | (11) [exec] = noop
freeradius | (11) update reply {
freeradius | (11) EXPAND %{TLS-Cert-Serial}
freeradius | (11) --> 1400000002219c173715ec84d9000000000002
freeradius | (11) Reply-Message += 1400000002219c173715ec84d9000000000002
freeradius | (11) EXPAND %{TLS-Cert-Expiration}
freeradius | (11) --> 20511007092213Z
freeradius | (11) Reply-Message += 20511007092213Z
freeradius | (11) EXPAND %{TLS-Cert-Subject}
freeradius | (11) --> /DC=org/DC=example/CN=XY Sub CA
freeradius | (11) Reply-Message += /DC=org/DC=example/CN=XY Sub CA
freeradius | (11) EXPAND %{TLS-Cert-Issuer}
freeradius | (11) --> /C=xxx/ST=xxx/L=xxx/O=xxx/CN=xxx Root CA
freeXYius | (11) Reply-Message += /C=xxx/ST=xXYL=xxx/O=xxx/CXYxx Root CA
freeradius | (11) EXPAND %{TLS-Cert-CXYon-Name}
freeradius | (11) --> xy Sub CA
freeradius | (11) Reply-Message += xy Sub CA
freeradius | (11) EXPAND %{TLS-Cert-Subject-Alt-Name-Dns}
freeradius | (11) -->
freeradius | (11) Reply-Message +=
freeradius | (11) EXPAND %{TLS-Client-Cert-Serial}
freeradius | (11) --> 16000028666eef874492e150cd000000002866
freeradius | (11) Reply-Message += 16000028666eef874492e150cd000000002866
freeradius | (11) EXPAND %{TLS-Client-Cert-Expiration}
freeradius | (11) --> 240209105026Z
freeradius | (11) Reply-Message += 240209105026Z
freeradius | (11) EXPAND %{TLS-Client-Cert-Subject}
freeradius | (11) -->
freeradius | (11) Reply-Message +=
freeradius | (11) EXPAND %{TLS-Client-Cert-Issuer}
freeradius | (11) --> /DC=org/DC=example/CN=XY Sub CA
freeradius | (11) Reply-Message += /DC=org/DC=example/CN=XY Sub CA
freeradius | (11) EXPAND %{TLS-Client-Cert-Common-Name}
freeradius | (11) -->
freeradius | (11) Reply-Message +=
freeradius | (11) EXPAND %{TLS-Client-Cert-Subject-Alt-Name-Dns}
freeradius | (11) --> host1.XY.example.org
freeradius | (11) Reply-Message += host1.XY.example.org
freeradius | (11) } # update reply = noop
freeradius | (11) policy remove_reply_message_if_eap {
freeradius | (11) if (&reply:EAP-Message && &reply:Reply-Message) {
freeradius | (11) if (&reply:EAP-Message && &reply:Reply-Message) -> TRUE
freeradius | (11) if (&reply:EAP-Message && &reply:Reply-Message) {
freeradius | (11) update reply {
freeradius | (11) &Reply-Message !* ANY
freeradius | (11) } # update reply = noop
freeradius | (11) } # if (&reply:EAP-Message && &reply:Reply-Message) = noop
freeradius | (11) ... skipping else: Preceding "if" was taken
freeradius | (11) } # policy remove_reply_message_if_eap = noop
freeradius | (11) if (EAP-Key-Name && &reply:EAP-Session-Id) {
freeradius | (11) if (EAP-Key-Name && &reply:EAP-Session-Id) -> FALSE
freeradius | (11) policy debug_session_state {
freeradius | (11) if ("%{debug_attr:session-state:}" == '') {
freeradius | (11) Attributes matching "session-state:"
freeradius | (11) &session-state:Framed-MTU = 1014
freeradius | (11) &session-state:TLS-Session-Information = (TLS) recv TLS 1.3 Handshake, ClientHello
freeradius | (11) &session-state:TLS-Session-Information = (TLS) send TLS 1.2 Handshake, ServerHello
freeradius | (11) &session-state:TLS-Session-Information = (TLS) send TLS 1.2 Handshake, Certificate
freeradius | (11) &session-state:TLS-Session-Information = (TLS) send TLS 1.2 Handshake, ServerKeyExchange
freeradius | (11) &session-state:TLS-Session-Information = (TLS) send TLS 1.2 Handshake, CertificateRequest
freeradius | (11) &session-state:TLS-Session-Information = (TLS) send TLS 1.2 Handshake, ServerHelloDone
freeradius | (11) &session-state:TLS-Session-Information = (TLS) recv TLS 1.2 Handshake, Certificate
freeradius | (11) &session-state:TLS-Session-Information = (TLS) recv TLS 1.2 Handshake, ClientKeyExchange
freeradius | (11) &session-state:TLS-Session-Information = (TLS) recv TLS 1.2 Handshake, CertificateVerify
freeradius | (11) &session-state:TLS-Session-Information = (TLS) recv TLS 1.2 Handshake, Finished
freeradius | (11) &session-state:TLS-Session-Information = (TLS) send TLS 1.2 ChangeCipherSpec
freeradius | (11) &session-state:TLS-Session-Information = (TLS) send TLS 1.2 Handshake, Finished
freeradius | (11) &session-state:TLS-Session-Cipher-Suite = ECDHE-RSA-AES256-GCM-SHA384
freeradius | (11) &session-state:TLS-Session-Version = TLS 1.2
freeradius | (11) EXPAND %{debug_attr:session-state:}
freeradius | (11) -->
freeradius | (11) if ("%{debug_attr:session-state:}" == '') -> TRUE
freeradius | (11) if ("%{debug_attr:session-state:}" == '') {
freeradius | (11) [noop] = noop
freeradius | (11) } # if ("%{debug_attr:session-state:}" == '') = noop
freeradius | (11) } # policy debug_session_state = noop
freeradius | (11) if (TLS-Client-Cert-Issuer == "/DC=org/DC=example/CN=XY Sub CA"){
freeradius | (11) if (TLS-Client-Cert-Issuer == "/DC=org/DC=example/CN=XY Sub CA") -> TRUE
freeradius | (11) if (TLS-Client-Cert-Issuer == "/DC=org/DC=example/CN=XY Sub CA") {
freeradius | (11) if (TLS-Client-Cert-Subject-Alt-Name-Dns =~ /\.xy\.example\.org$/i){
freeradius | (11) if (TLS-Client-Cert-Subject-Alt-Name-Dns =~ /\.xy\.example\.org$/i) -> TRUE
freeradius | (11) if (TLS-Client-Cert-Subject-Alt-Name-Dns =~ /\.xy\.example\.org$/i) {
freeradius | (11) if (TLS-Client-Cert-X509v3-Extended-Key-Usage-OID == "1.3.6.1.4.1.311.21.8.16510850.12376249.15288979.13711710.10124257.18.15380538.1028721") {
freeradius | (11) if (TLS-Client-Cert-X509v3-Extended-Key-Usage-OID == "1.3.6.1.4.1.311.21.8.16510850.12376249.15288979.13711710.10124257.18.15380538.1028721") -> FALSE
freeradius | (11) elsif (TLS-Client-Cert-X509v3-Extended-Key-Usage-OID == "1.3.6.1.4.1.311.21.8.16510850.12376249.15288979.13711710.10124257.18.15210945.7878633") {
freeradius | (11) elsif (TLS-Client-Cert-X509v3-Extended-Key-Usage-OID == "1.3.6.1.4.1.311.21.8.16510850.12376249.15288979.13711710.10124257.18.15210945.7878633") -> FALSE
freeradius | (11) else {
freeradius | (11) update reply {
freeradius | (11) Reply-Message := "Certificate Extended-Key-Usage with wrong or missing Group."
freeradius | (11) Auth-Type := Reject
freeradius | (11) } # update reply = noop
freeradius | (11) [reject] = reject
freeradius | (11) } # else = reject
freeradius | (11) } # if (TLS-Client-Cert-Subject-Alt-Name-Dns =~ /\.xy\.example\.org$/i) = reject
freeradius | (11) } # if (TLS-Client-Cert-Issuer == "/DC=org/DC=example/CN=XY Sub CA") = reject
freeradius | (11) } # post-auth = reject
freeradius | (11) Using Post-Auth-Type Reject
freeradius | (11) # Executing group from file /etc/raddb/sites-enabled/site
freeradius | (11) Post-Auth-Type REJECT {
freeradius | (11) attr_filter.access_reject: EXPAND %{User-Name}
freeradius | (11) attr_filter.access_reject: --> host/host1.XY.example.org
freeradius | (11) attr_filter.access_reject: Matched entry DEFAULT at line 11
freeradius | (11) [attr_filter.access_reject] = updated
freeradius | (11) [eap] = noop
freeradius | (11) policy remove_reply_message_if_eap {
freeradius | (11) if (&reply:EAP-Message && &reply:Reply-Message) {
freeradius | (11) if (&reply:EAP-Message && &reply:Reply-Message) -> TRUE
freeradius | (11) if (&reply:EAP-Message && &reply:Reply-Message) {
freeradius | (11) update reply {
freeradius | (11) &Reply-Message !* ANY
freeradius | (11) } # update reply = noop
freeradius | (11) } # if (&reply:EAP-Message && &reply:Reply-Message) = noop
freeradius | (11) ... skipping else: Preceding "if" was taken
freeradius | (11) } # policy remove_reply_message_if_eap = noop
freeradius | (11) } # Post-Auth-Type REJECT = updated
freeradius | (11) Delaying response for 1.000000 seconds
freeradius | Waking up in 0.3 seconds.
freeradius | Waking up in 0.6 seconds.
freeradius | (11) Sending delayed response
freeradius | (11) Sent Access-Reject Id 136 from 10.0.118.207:1812 to 10.1.100.55:55713 length 44
freeradius | (11) EAP-Message = 0x03f90004
freeradius | (11) Message-Authenticator = 0x00000000000000000000000000000000
More information about the Freeradius-Users
mailing list