Re: Config for TLS, TTLS and PEAP and subject validation

2011-08-12 Thread Daniel Bertolo 
Hi Alan

Am 11.08.11 23:13, schrieb Alan DeKok:
   The TLS-Client-Cert-Subject is empty.  You will need to check for EAP-TLS:
 
   if ((EAP-Type == EAP-TLS)  \
   (%{TLS-Client-Cert-Subject} !~ /\/O=MyCompany\//)) {
   ...

Thank you very much. This works great.

Regards,
Daniel
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Config for TLS, TTLS and PEAP and subject validation

2011-08-11 Thread Daniel Bertolo 
Hi

I currently run FreeRADIUS 2.1.6 and have a working configuration for
EAP-TTLS and PEAP that is used for a WPA2 network. In addition to that,
I would like to allow our users to use their user certificate from a
public issuer to connect using EAP-TLS. This means that I have to check
if the subject contains our organisation. I read in previous threads
about checking the subject in the authenticate section:

authenticate {
Auth-Type eap {
eap
if (!%{TLS-Client-Cert-Subject} =~ /\/O=MyCompany\// ) {
reject
}
}
}

I have two questions about that:

- This would belong in the outer request as there is no inner request
with EAP-TLS, right?

- What happens to requests that don't provide a client certificate (the
users who still use EAP-TTLS or PEAP)?

In conclusion, is there a way to distinguish between EAP-TLS requests
and EAP-TTLS or PEAP requests? And if so, can I use a different server
section for EAP-TLS?

Thanks for help.

Best regards,
Daniel
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Config for TLS, TTLS and PEAP and subject validation

2011-08-11 Thread Alan DeKok 
Daniel Bertolo wrote:

 I currently run FreeRADIUS 2.1.6
...
 authenticate {
 Auth-Type eap {
 eap
 if (!%{TLS-Client-Cert-Subject} =~ /\/O=MyCompany\// ) {

  That won't work in 2.1.6.  You need at least 2.1.10.

 - This would belong in the outer request as there is no inner request
 with EAP-TLS, right?

  Yes.

 - What happens to requests that don't provide a client certificate (the
 users who still use EAP-TTLS or PEAP)?

  The TLS-Client-Cert-Subject is empty.  You will need to check for EAP-TLS:

if ((EAP-Type == EAP-TLS)  \
(%{TLS-Client-Cert-Subject} !~ /\/O=MyCompany\//)) {
...

 In conclusion, is there a way to distinguish between EAP-TLS requests
 and EAP-TTLS or PEAP requests? And if so, can I use a different server
 section for EAP-TLS?

  Yes, and no.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html