How to check the Extended Key Usage in freeradius?

Dentzer, Daniel Dentzer at cpa.de
Wed Mar 1 06:29:11 UTC 2023 

OK, for all interested, I solved it this way:

In post-auth-section:
if (TLS-Client-Cert-X509v3-Extended-Key-Usage-OID) {
           foreach &TLS-Client-Cert-X509v3-Extended-Key-Usage-OID {
                   update session-state {
                           &TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "%{Foreach-Variable-0}"
                   }
          }
}

And for the check something like:
if(&session-state:TLS-Client-Cert-X509v3-Extended-Key-Usage-OID[*] == "1.3.6.1.4.1....."){
	...
}

This way I can use different types of certificates (automatically distributed by a windows CA depending on AD-groups) for different groups of computers. We're able to authenticate the computers (actually only wifi) and assign VLANs depending on AD-Groups.

Mit freundlichen Grüßen

Daniel Dentzer

-----Original Message-----
From: Freeradius-Users <freeradius-users-bounces+dentzer=cpa.de at lists.freeradius.org> On Behalf Of Alan DeKok
Sent: Montag, 27. Februar 2023 19:34
To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Subject: Re: How to check the Extended Key Usage in freeradius?

On Feb 27, 2023, at 4:18 AM, Dentzer, Daniel <Dentzer at cpa.de> wrote:
> It seems that this doesn't work for me. 

   Read the debug log.  If there's an extended key usage OID, it will show up as TLS-Client-Cert-X509v3-Extended-Key-Usage-OID.

  If there's no extended key usage OID, them it won't show up.

> In the session-state is only TLS-Session-Information, TLS-Session-Cipher-Suite, TLS-Session-Version.
> But it seems I can work directly with TLS-Client-Cert-Issuer and TLS-Client-Cert-Subject-Alt-Name-Dns, but not with TLS-Client-Cert-X509v3-Extended-Key-Usage-OID.

  Does it exist?

  Does it show up in the debug log?

  The debug log shows every TLS related attribute it creates.

> Is there a way to get TLS-Client-Cert-X509v3-Extended-Key-Usage-OID 
> - in the session-state

  Does it exist?

>  (see below ' (11)     policy debug_session_state {')
> Or
> - like TLS-Client-Cert-Issuer to use it directly

  Does TLS-Client-Cert-Issuer exist?

> ...
> freeradius | (10) eap_tls: (TLS) Creating attributes from server certificate
> freeradius | (10) eap_tls:   TLS-Cert-Serial := "1400000002219c173715ec84d9000000000002"
> freeradius | (10) eap_tls:   TLS-Cert-Expiration := "20511007092213Z"
> freeradius | (10) eap_tls:   TLS-Cert-Valid-Since := "211007115340Z"
> freeradius | (10) eap_tls:   TLS-Cert-Subject := "/DC=org/DC=example/CN=XY Sub CA"
> freeradius | (10) eap_tls:   TLS-Cert-Issuer := "/C=xxx/ST=xxx/L=xxx/O=xxx/CN=XY Root CA"
> freeradius | (10) eap_tls:   TLS-Cert-Common-Name := "XY Sub CA"
> freeradius | (10) eap_tls: (TLS) Creating attributes from client certificate
> freeradius | (10) eap_tls:   TLS-Client-Cert-Serial := "16000028666eef874492e150cd000000002866"
> freeradius | (10) eap_tls:   TLS-Client-Cert-Expiration := "240209105026Z"
> freeradius | (10) eap_tls:   TLS-Client-Cert-Valid-Since := "230209105026Z"
> freeradius | (10) eap_tls:   TLS-Client-Cert-Issuer := "/DC=org/DC=example/CN=XY Sub CA"
> freeradius | (10) eap_tls:   TLS-Client-Cert-Subject-Alt-Name-Dns := "host1.XY.example.org"
> freeradius | (10) eap_tls:   TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web Client Authentication, 1.3.6.1.4.1.311.21.8.16510850.12376249.15288979.13711710.10124257.18.15210945.7"
> freeradius | (10) eap_tls:   TLS-Client-Cert-X509v3-Subject-Key-Identifier += "29:AC:A7:3F:AD:4D:C1:29:E6:1D:0B:42:B5:69:2B:0C:B2:1E:EB:16"
> freeradius | (10) eap_tls:   TLS-Client-Cert-X509v3-Authority-Key-Identifier += "keyid:C0:24:69:05:3E:2C:E0:26:AD:85:D9:9E:9D:16:B2:E8:4C:62:81:EC\n"
> freeradius | (10) eap_tls:   TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "1.3.6.1.5.5.7.3.2"
> freeradius | (10) eap_tls:   TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "1.3.6.1.4.1.311.21.8.16510850.12376249.15288979.13711710.10124257.18.15210945.7878633"

  OK, that's good.  For the initial creation, those attributes are in the request.  For subsequent packets, they should be in the session-state list.

> ...
> freeradius | (11) Restoring &session-state
> freeradius | (11)   &session-state:Framed-MTU = 1014
> freeradius | (11)   &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
> freeradius | (11)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
> freeradius | (11)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
> freeradius | (11)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
> freeradius | (11)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest"
> freeradius | (11)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
> freeradius | (11)   &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Certificate"
> freeradius | (11)   &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange"
> freeradius | (11)   &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, CertificateVerify"
> freeradius | (11)   &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished"
> freeradius | (11)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec"
> freeradius | (11)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished"
> freeradius | (11)   &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
> freeradius | (11)   &session-state:TLS-Session-Version = "TLS 1.2"

  Hmm... you can always copy the attributes to the session-state list, where they will automatically be stored and restored.

  I'll have to check what's going on behind the scenes.  It's been a while since I used v3 like this.

  Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list