Re: Config for TLS, TTLS and PEAP and subject validation
Hi Alan Am 11.08.11 23:13, schrieb Alan DeKok: The TLS-Client-Cert-Subject is empty. You will need to check for EAP-TLS: if ((EAP-Type == EAP-TLS) \ (%{TLS-Client-Cert-Subject} !~ /\/O=MyCompany\//)) { ... Thank you very much. This works great. Regards, Daniel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Config for TLS, TTLS and PEAP and subject validation
Hi I currently run FreeRADIUS 2.1.6 and have a working configuration for EAP-TTLS and PEAP that is used for a WPA2 network. In addition to that, I would like to allow our users to use their user certificate from a public issuer to connect using EAP-TLS. This means that I have to check if the subject contains our organisation. I read in previous threads about checking the subject in the authenticate section: authenticate { Auth-Type eap { eap if (!%{TLS-Client-Cert-Subject} =~ /\/O=MyCompany\// ) { reject } } } I have two questions about that: - This would belong in the outer request as there is no inner request with EAP-TLS, right? - What happens to requests that don't provide a client certificate (the users who still use EAP-TTLS or PEAP)? In conclusion, is there a way to distinguish between EAP-TLS requests and EAP-TTLS or PEAP requests? And if so, can I use a different server section for EAP-TLS? Thanks for help. Best regards, Daniel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Config for TLS, TTLS and PEAP and subject validation
Daniel Bertolo wrote: I currently run FreeRADIUS 2.1.6 ... authenticate { Auth-Type eap { eap if (!%{TLS-Client-Cert-Subject} =~ /\/O=MyCompany\// ) { That won't work in 2.1.6. You need at least 2.1.10. - This would belong in the outer request as there is no inner request with EAP-TLS, right? Yes. - What happens to requests that don't provide a client certificate (the users who still use EAP-TTLS or PEAP)? The TLS-Client-Cert-Subject is empty. You will need to check for EAP-TLS: if ((EAP-Type == EAP-TLS) \ (%{TLS-Client-Cert-Subject} !~ /\/O=MyCompany\//)) { ... In conclusion, is there a way to distinguish between EAP-TLS requests and EAP-TTLS or PEAP requests? And if so, can I use a different server section for EAP-TLS? Yes, and no. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html