RE: eap/tls questions with freeradius
Precisely, i search check_cert_subject wich checks client's certificate field. From: zoumlan...@hotmail.com To: freeradius-users@lists.freeradius.org Subject: eap/tls questions with freeradius Date: Tue, 20 Dec 2011 12:23:50 + Hi , i've got a question : i've set up a freeradius server with EAP/TLS. In my configuration, i use check_cert_issuer in order to check certificate. Is there any functions wich allows me to check client's certificate subject (C,O,OU ??) ? Further more, i got an other question : when a client requests authentication, server checks before users file then certificate validity of a client ? Cheers - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: eap/tls questions with freeradius
Do you know where i can insert script to add new fonctions like described in my previous email ? When client sends its certificate , server checks before username or certificate validity ? From: zoumlan...@hotmail.com To: freeradius-users@lists.freeradius.org Subject: RE: eap/tls questions with freeradius Date: Tue, 20 Dec 2011 16:13:55 + Precisely, i search check_cert_subject wich checks client's certificate field. From: zoumlan...@hotmail.com To: freeradius-users@lists.freeradius.org Subject: eap/tls questions with freeradius Date: Tue, 20 Dec 2011 12:23:50 + Hi , i've got a question : i've set up a freeradius server with EAP/TLS. In my configuration, i use check_cert_issuer in order to check certificate. Is there any functions wich allows me to check client's certificate subject (C,O,OU ??) ? Further more, i got an other question : when a client requests authentication, server checks before users file then certificate validity of a client ? Cheers - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap/tls questions with freeradius
On Fri, Dec 23, 2011 at 3:54 PM, vazoumana fofana wrote: > > Do you know where i can insert script to add new fonctions like described > in my previous email ? > When client sends its certificate , server checks before username or > certificate validity ? Try: - http://wiki.freeradius.org/Sites%20configuration - http://freeradius.org/radiusd/man/unlang.html - http://wiki.freeradius.org/Rlm_perl Use unlang and attributes (such as TLS-Client-Cert-Common-Name) to do whatever filtering you want. If you need complex processing, you might have to use rlm_perl as well. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: eap/tls questions with freeradius
Thanks!!! > Date: Fri, 23 Dec 2011 16:26:20 +0700 > Subject: Re: eap/tls questions with freeradius > From: l...@fajar.net > To: freeradius-users@lists.freeradius.org > > On Fri, Dec 23, 2011 at 3:54 PM, vazoumana fofana > wrote: > > > > Do you know where i can insert script to add new fonctions like described > > in my previous email ? > > When client sends its certificate , server checks before username or > > certificate validity ? > > Try: > - http://wiki.freeradius.org/Sites%20configuration > - http://freeradius.org/radiusd/man/unlang.html > - http://wiki.freeradius.org/Rlm_perl > > Use unlang and attributes (such as TLS-Client-Cert-Common-Name) to do > whatever filtering you want. If you need complex processing, you might > have to use rlm_perl as well. > > -- > Fajar > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: eap/tls questions with freeradius
sorry, i ve got persistents problems :
- i filter client certificate under authenticate section (under eap) with :
Auth-Type eap {
if ( "%{TLS-Client-Cert-Subject}" =~ /OU=x/ ) {
reject
}
}.
Firstly, it s' written on "default" file :
Please do not put "unlang" configurations into the "authenticate"
# section. Put them in the "post-auth" section instead. That's what
# the post-auth section is for.
But, according to me , it's not right because i don't want to enter into
post-auth. It must be rejected before.
secondly,
with this configuration, i try to authenticate a client with certificate
OU=x. According to mode debug, it seemed to work. Client (windows XP)
requested 21 times without sucess. But at 22nd, it seemed authenticate
sucessful because i see client which is associated to AP. after times (5-10
minutes), Client seemed to be detached and entered in authenticating loop until
succeed authenticating.
do you know why client success authenticating for a time ?
Is it possible to avoid request of certain client ?
I restrict authentication request to chooser NAS. I want to avoid clients to
enter loop authentication. But these client can request authentication through
NAS choosen.
Cheers.
From: zoumlan...@hotmail.com
To: freeradius-users@lists.freeradius.org
Subject: RE: eap/tls questions with freeradius
Date: Fri, 23 Dec 2011 10:32:54 +
Thanks!!!
> Date: Fri, 23 Dec 2011 16:26:20 +0700
> Subject: Re: eap/tls questions with freeradius
> From: l...@fajar.net
> To: freeradius-users@lists.freeradius.org
>
> On Fri, Dec 23, 2011 at 3:54 PM, vazoumana fofana
> wrote:
> >
> > Do you know where i can insert script to add new fonctions like described
> > in my previous email ?
> > When client sends its certificate , server checks before username or
> > certificate validity ?
>
> Try:
> - http://wiki.freeradius.org/Sites%20configuration
> - http://freeradius.org/radiusd/man/unlang.html
> - http://wiki.freeradius.org/Rlm_perl
>
> Use unlang and attributes (such as TLS-Client-Cert-Common-Name) to do
> whatever filtering you want. If you need complex processing, you might
> have to use rlm_perl as well.
>
> --
> Fajar
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap/tls questions with freeradius
On Mon, Dec 26, 2011 at 9:44 PM, vazoumana fofana
wrote:
> sorry, i ve got persistents problems :
>
> - i filter client certificate under authenticate section (under eap) with :
> Auth-Type eap {
> if ( "%{TLS-Client-Cert-Subject}" =~ /OU=x/ ) {
> reject
> }
> }.
> Firstly, it s' written on "default" file :
> Please do not put "unlang" configurations into the "authenticate"
> # section. Put them in the "post-auth" section instead. That's what
> # the post-auth section is for.
> But, according to me , it's not right because i don't want to enter into
> post-auth. It must be rejected before.
Try authorize section. The usual method in authorize would be
update control {
Auth-Type := reject
}
>
> secondly,
>
> with this configuration, i try to authenticate a client with certificate
> OU=x. According to mode debug, it seemed to work.
> Client (windows XP)
> requested 21 times without sucess. But at 22nd, it seemed authenticate
> sucessful because i see client which is associated to AP. after times (5-10
> minutes), Client seemed to be detached and entered in authenticating loop
> until succeed authenticating.
what does the debug log say? Did FR send access-accept?
>
> do you know why client success authenticating for a time ?
If FR send access-accept, look at debug log to see why it's accepting
the request.
If FR does NOT send access-accept, it's probably a bug in NAS.
> Is it possible to avoid request of certain client ?
If they have a disctinct attribute (e.g. certificate, user-name,
calling-station-id, whatever), you can just use unlang.
> I restrict authentication request to chooser NAS. I want to avoid clients to
> enter loop authentication. But these client can request authentication
> through NAS choosen.
I have no idea what that means. Did you want to allow client A to
login from NAS X, but reject it if it tries to login from NAS Y? If
yes, try http://wiki.freeradius.org/Huntgroups or
http://wiki.freeradius.org/SQL%20Huntgroup%20HOWTO
--
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap/tls questions with freeradius
On 12/26/2011 02:44 PM, vazoumana fofana wrote:
sorry, i ve got persistents problems :
- i filter client certificate under authenticate section (under eap)
with : Auth-Type eap {
if ( "%{TLS-Client-Cert-Subject}" =~ /OU=x/ ) {
reject
}
}.
Firstly, it s' written on "default" file :
/Please do not put "unlang" configurations into the "authenticate"
# section. Put them in the "post-auth" section instead. That's what
# the post-auth section is for./
But, according to me , it's not right because i don't want to enter into
post-auth. It must be rejected before.
This is not easy at the moment I'm afraid.
Basically, the problem is that the "authorize" part of the "eap" module
doesn't do much. All the work is done inside the "authenticate" section.
This means that TLS-* attributes may not be present in "authorize".
You are correct that performing a "reject" in "post-auth" is not the
right thing to do.
It might be an idea in future to add an "inner-tunnel" feature for
EAP-TLS which sends a plain PAP packet with the TLS-* attributes, which
allows this kind of checking.
You need to use the "verify { }" option under the "tls { }" config to
run an external script. Like so:
eap {
tls {
verify {
client = "/path/to/my/script ..."
}
}
}
This is documented with examples in eap.conf
But really, you're doing it wrong.
If you don't want a particular cert to authenticate, revoke it and use
CRLs or OSCP.
Why do you think you want to check the cert subject?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
