Hi Tuure,

<snipp/>
my bad, my_tls_verify_error variable is available during the round when 
EAPTLS_CertificateVerifyFailedHook is run, but
as EAP-TLS continues with Radiator sending back TLS alert to the client which 
will acknowledge it on a next round before
Radiator will call AuthLog and return Access-Reject, the variable won?t be 
available anymore to be used by AuthLog.

A correct way would be to use EAPContext which is available during EAP 
authentication,
but currently there?s no special variable for accessing it in e.g. AuthLog?s 
SuccessFormat or FailureFormat.
However, LogFormatHook can access it through $p so using the hook for forming a 
log entry can be used as a workaround.

I?ll create a feature request for special variables for accessing EAP context 
and resume context.

thanks.

That works perfectly.

we use following EAPTLS_CertificateVerifyFailedHook to guard against any 
failure in crl generation, expiry causing authentication to fail:

        sub {
            my $verify_error = $_[0];
            my $p = $_[5];

            # log
            my $verify_error_text = 
Radius::TLS::verify_error_string($verify_error);
            &main::log($main::LOG_DEBUG, "EAPTLS_CertificateVerifyFailedHook: 
verify_error: $verify_error_text");

            # return success on specific verification error
            #  3   => 'unable to get certificate CRL',
            #  5   => 'unable to decrypt CRL\'s signature',
            #  8   => 'CRL signature failure',
            #  11   => 'CRL is not yet valid',
            #  12   => 'CRL has expired',
            #  15   => 'format error in CRL\'s lastUpdate field',
            #  16   => 'format error in CRL\'s nextUpdate field',
            #  36   => 'unhandled critical CRL extension',
            #  44   => 'different CRL scope',
            #  54   => 'CRL path validation error',

            # check if element in list using perl ~~ smart match operator
            my @crl_check_ignore = ( 3, 5, 8, 11, 12, 15, 16, 36, 44, 54 );
            if( $verify_error ~~ @crl_check_ignore ) {
                $verify_error_text .= ". Continuing without CRL check.";
                # save verify error to reply for auth logging
                $p->{EAPContext}->{my_tls_verify_error} = $verify_error_text;
                return 0;
            }

            # save verify error to reply for auth logging
            $p->{EAPContext}->{my_tls_verify_error} = $verify_error_text;

            # otherwise pass through original error
            return $verify_error;
        }

We then use following the AuthLog LogFormatHook to log the reason:

        $p->{EAPContext}->{my_tls_verify_error}

Above also allows us to have crl for some CA and no crl for others.

Very nice ja kiitos paljon

Greetings
Christian

--
Christian Kratzer                   CK Software GmbH
Email:   c...@cksoft.de               Wildberger Weg 24/2
Phone:   +49 7032 893 997 - 0       D-71126 Gaeufelden
Fax:     +49 7032 893 997 - 9       HRB 245288, Amtsgericht Stuttgart
Mobile:  +49 171 1947 843           Geschaeftsfuehrer: Christian Kratzer
Web:     http://www.cksoft.de/
_______________________________________________
radiator mailing list
radiator@lists.open.com.au
http://lists.open.com.au/mailman/listinfo/radiator

Reply via email to