How to check the Extended Key Usage in freeradius?
Dentzer, Daniel
Dentzer at cpa.de
Wed Mar 1 06:29:11 UTC 2023
OK, for all interested, I solved it this way:
In post-auth-section:
if (TLS-Client-Cert-X509v3-Extended-Key-Usage-OID) {
foreach &TLS-Client-Cert-X509v3-Extended-Key-Usage-OID {
update session-state {
&TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "%{Foreach-Variable-0}"
}
}
}
And for the check something like:
if(&session-state:TLS-Client-Cert-X509v3-Extended-Key-Usage-OID[*] == "1.3.6.1.4.1....."){
...
}
This way I can use different types of certificates (automatically distributed by a windows CA depending on AD-groups) for different groups of computers. We're able to authenticate the computers (actually only wifi) and assign VLANs depending on AD-Groups.
Mit freundlichen Grüßen
Daniel Dentzer
-----Original Message-----
From: Freeradius-Users <freeradius-users-bounces+dentzer=cpa.de at lists.freeradius.org> On Behalf Of Alan DeKok
Sent: Montag, 27. Februar 2023 19:34
To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Subject: Re: How to check the Extended Key Usage in freeradius?
On Feb 27, 2023, at 4:18 AM, Dentzer, Daniel <Dentzer at cpa.de> wrote:
> It seems that this doesn't work for me.
Read the debug log. If there's an extended key usage OID, it will show up as TLS-Client-Cert-X509v3-Extended-Key-Usage-OID.
If there's no extended key usage OID, them it won't show up.
> In the session-state is only TLS-Session-Information, TLS-Session-Cipher-Suite, TLS-Session-Version.
> But it seems I can work directly with TLS-Client-Cert-Issuer and TLS-Client-Cert-Subject-Alt-Name-Dns, but not with TLS-Client-Cert-X509v3-Extended-Key-Usage-OID.
Does it exist?
Does it show up in the debug log?
The debug log shows every TLS related attribute it creates.
> Is there a way to get TLS-Client-Cert-X509v3-Extended-Key-Usage-OID
> - in the session-state
Does it exist?
> (see below ' (11) policy debug_session_state {')
> Or
> - like TLS-Client-Cert-Issuer to use it directly
Does TLS-Client-Cert-Issuer exist?
> ...
> freeradius | (10) eap_tls: (TLS) Creating attributes from server certificate
> freeradius | (10) eap_tls: TLS-Cert-Serial := "1400000002219c173715ec84d9000000000002"
> freeradius | (10) eap_tls: TLS-Cert-Expiration := "20511007092213Z"
> freeradius | (10) eap_tls: TLS-Cert-Valid-Since := "211007115340Z"
> freeradius | (10) eap_tls: TLS-Cert-Subject := "/DC=org/DC=example/CN=XY Sub CA"
> freeradius | (10) eap_tls: TLS-Cert-Issuer := "/C=xxx/ST=xxx/L=xxx/O=xxx/CN=XY Root CA"
> freeradius | (10) eap_tls: TLS-Cert-Common-Name := "XY Sub CA"
> freeradius | (10) eap_tls: (TLS) Creating attributes from client certificate
> freeradius | (10) eap_tls: TLS-Client-Cert-Serial := "16000028666eef874492e150cd000000002866"
> freeradius | (10) eap_tls: TLS-Client-Cert-Expiration := "240209105026Z"
> freeradius | (10) eap_tls: TLS-Client-Cert-Valid-Since := "230209105026Z"
> freeradius | (10) eap_tls: TLS-Client-Cert-Issuer := "/DC=org/DC=example/CN=XY Sub CA"
> freeradius | (10) eap_tls: TLS-Client-Cert-Subject-Alt-Name-Dns := "host1.XY.example.org"
> freeradius | (10) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web Client Authentication, 1.3.6.1.4.1.311.21.8.16510850.12376249.15288979.13711710.10124257.18.15210945.7"
> freeradius | (10) eap_tls: TLS-Client-Cert-X509v3-Subject-Key-Identifier += "29:AC:A7:3F:AD:4D:C1:29:E6:1D:0B:42:B5:69:2B:0C:B2:1E:EB:16"
> freeradius | (10) eap_tls: TLS-Client-Cert-X509v3-Authority-Key-Identifier += "keyid:C0:24:69:05:3E:2C:E0:26:AD:85:D9:9E:9D:16:B2:E8:4C:62:81:EC\n"
> freeradius | (10) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "1.3.6.1.5.5.7.3.2"
> freeradius | (10) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "1.3.6.1.4.1.311.21.8.16510850.12376249.15288979.13711710.10124257.18.15210945.7878633"
OK, that's good. For the initial creation, those attributes are in the request. For subsequent packets, they should be in the session-state list.
> ...
> freeradius | (11) Restoring &session-state
> freeradius | (11) &session-state:Framed-MTU = 1014
> freeradius | (11) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
> freeradius | (11) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
> freeradius | (11) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
> freeradius | (11) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
> freeradius | (11) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest"
> freeradius | (11) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
> freeradius | (11) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Certificate"
> freeradius | (11) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange"
> freeradius | (11) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, CertificateVerify"
> freeradius | (11) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished"
> freeradius | (11) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec"
> freeradius | (11) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished"
> freeradius | (11) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
> freeradius | (11) &session-state:TLS-Session-Version = "TLS 1.2"
Hmm... you can always copy the attributes to the session-state list, where they will automatically be stored and restored.
I'll have to check what's going on behind the scenes. It's been a while since I used v3 like this.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list