On 01/27/2011 06:04 PM, Matt Garretson wrote:
For years, we've been doing simple EAP-TLS with various versions of
FreeRADIUS. Now, a new requirement has come down to me such that radius
will have to reject certain valid client certs based on a string in the
Subject field of the client cert.
I've met this need (using 2.1.11 from git) with a simple bit of unlang
in post-auth{}:
if ( "%{TLS-Client-Cert-Subject}" =~ /OU=Evil/ ) {
reject
}
Just put this in the "authorize" section? If it's early in the EAP
conversation, TLS-Client-* won't be set so won't match, meaning this
will succeed as soon as yo uget that far.
It works, but there are two non-ideal things about the way it works:
1) Windows XP doesn't seem to notice the rejection and keeps retrying
for a minute or two, ultimately failing to show any failure/error
message to the user.
2) The rejection is not logged in radiusd.log; rather, three "Auth:
Login OK" lines are logged (the repetition is due to XP's retries)
Is there any way I can address these two issues? I did try putting the
above unlang into eap.conf's tls{} section (where check_cert_issuer and
check_cert_cn would be), in hopes that the rejection would occur during
the auth rather than after it, but the code doesn't seem to have any
effect there.
Correct. Unlang is only processed in authorize-like steps, not arbitrary
bits of the config.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
