RE: [EAP/TLS] Authenfication through a certificate
i begin setting up configuration. bit i got two problems :
client with good certificate can be authenticated even if they're not in
users file.
I assume it's due to my code. Here is under authenticate section of default :
Auth-Type eap {
eap
if ( %{TLS-Client-Cert-Subject} =~ /\/\// ) {
if ( %{TLS-Client-Cert-Subject} =~ /\/xxx\//
) {
ok
}
else {
fail
}
It's like when condition is checked, it bypassed users file.
Maybe, i must move these lines under authorize ?
anyone to confirm it ?
cheers
Date: Mon, 4 Feb 2013 10:32:22 -0500
From: al...@deployingradius.com
To: freeradius-users@lists.freeradius.org
Subject: Re: [EAP/TLS] Authenfication through a certificate
vazoumana fofana wrote:
i've got question about EAP/TLS and authentification for a client
through a certificate ?
I succeed setting up. But , i notice that freeradius matches client
login with certificate CNAME.
Is it possible to change it in order to match email instead of CNAME ?
Yes.
Read the eap.conf file, and the raddb/sites-available/default. This
is documented.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [EAP/TLS] Authenfication through a certificate
As already said, post output of radiusd -X (that will clearly show the logic taken) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: [EAP/TLS] Authenfication through a certificate
here is the output :
Evaluating (%{TLS-Client-Cert-Subject} =~//) - TRUE
++? if (%{TLS-Client-Cert-Subject} =~ /\/xx\// ) - TRUE
++- entering if (%{TLS-Client-Cert-Subject} =~ /\/O=\// ) {...}
+++? if (%{TLS-Client-Cert-Subject} =~ /\/OU=\// )
expand: %{TLS-Client-Cert-Subject} -
/
? Evaluating (%{TLS-Client-Cert-Subject} =~ /\/xxx\//) - TRUE
+++? if (%{TLS-Client-Cert-Subject} =~ /\/x\// ) - TRUE
+++- entering if (%{TLS-Client-Cert-Subject} =~ /\/xx\// )
{...}
[noop] returns noop
+++- if (%{TLS-Client-Cert-Subject} =~ /\/xxx\// ) returns
noop
+++ ... skipping else for request 21: Preceding if was taken
++- if (%{TLS-Client-Cert-Subject} =~ /\/xx\// ) returns
noop
Login OK: [xx] (from client xxx
I understand that eap returns ok so user is authenticated.
It's not what i want to do.
i want client certificate to be authenticated by :
- be in users files
- have the right certificate
From: a.l.m.bu...@lboro.ac.uk
To: zoumlan...@hotmail.com; freeradius-users@lists.freeradius.org
Subject: Re: [EAP/TLS] Authenfication through a certificate
Date: Fri, 8 Feb 2013 16:20:20 +
As already said, post output of radiusd -X
(that will clearly show the logic taken)
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [EAP/TLS] Authenfication through a certificate
vazoumana fofana wrote: i've got question about EAP/TLS and authentification for a client through a certificate ? I succeed setting up. But , i notice that freeradius matches client login with certificate CNAME. Is it possible to change it in order to match email instead of CNAME ? Yes. Read the eap.conf file, and the raddb/sites-available/default. This is documented. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
