RE: [EAP/TLS] Authenfication through a certificate
i begin setting up configuration. bit i got two problems : client with good certificate can be authenticated even if they're not in users file. I assume it's due to my code. Here is under authenticate section of default : Auth-Type eap { eap if ( %{TLS-Client-Cert-Subject} =~ /\/\// ) { if ( %{TLS-Client-Cert-Subject} =~ /\/xxx\// ) { ok } else { fail } It's like when condition is checked, it bypassed users file. Maybe, i must move these lines under authorize ? anyone to confirm it ? cheers Date: Mon, 4 Feb 2013 10:32:22 -0500 From: al...@deployingradius.com To: freeradius-users@lists.freeradius.org Subject: Re: [EAP/TLS] Authenfication through a certificate vazoumana fofana wrote: i've got question about EAP/TLS and authentification for a client through a certificate ? I succeed setting up. But , i notice that freeradius matches client login with certificate CNAME. Is it possible to change it in order to match email instead of CNAME ? Yes. Read the eap.conf file, and the raddb/sites-available/default. This is documented. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [EAP/TLS] Authenfication through a certificate
As already said, post output of radiusd -X (that will clearly show the logic taken) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: [EAP/TLS] Authenfication through a certificate
here is the output : Evaluating (%{TLS-Client-Cert-Subject} =~//) - TRUE ++? if (%{TLS-Client-Cert-Subject} =~ /\/xx\// ) - TRUE ++- entering if (%{TLS-Client-Cert-Subject} =~ /\/O=\// ) {...} +++? if (%{TLS-Client-Cert-Subject} =~ /\/OU=\// ) expand: %{TLS-Client-Cert-Subject} - / ? Evaluating (%{TLS-Client-Cert-Subject} =~ /\/xxx\//) - TRUE +++? if (%{TLS-Client-Cert-Subject} =~ /\/x\// ) - TRUE +++- entering if (%{TLS-Client-Cert-Subject} =~ /\/xx\// ) {...} [noop] returns noop +++- if (%{TLS-Client-Cert-Subject} =~ /\/xxx\// ) returns noop +++ ... skipping else for request 21: Preceding if was taken ++- if (%{TLS-Client-Cert-Subject} =~ /\/xx\// ) returns noop Login OK: [xx] (from client xxx I understand that eap returns ok so user is authenticated. It's not what i want to do. i want client certificate to be authenticated by : - be in users files - have the right certificate From: a.l.m.bu...@lboro.ac.uk To: zoumlan...@hotmail.com; freeradius-users@lists.freeradius.org Subject: Re: [EAP/TLS] Authenfication through a certificate Date: Fri, 8 Feb 2013 16:20:20 + As already said, post output of radiusd -X (that will clearly show the logic taken) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [EAP/TLS] Authenfication through a certificate
vazoumana fofana wrote: i've got question about EAP/TLS and authentification for a client through a certificate ? I succeed setting up. But , i notice that freeradius matches client login with certificate CNAME. Is it possible to change it in order to match email instead of CNAME ? Yes. Read the eap.conf file, and the raddb/sites-available/default. This is documented. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html