Re: TLS Check Cn Question
David Mitchell wrote: currently I'm using the check_cert_cn option in my EAP-TLS setup. I think I may have the need to support two possible CN formats. Is there any way to do a conditional check? Your message contains the answer to that question. I don't think the eap.conf file is unlang interpreted so I don't think I can include full regexp or if-then conditionals can I? Is there some other way to accomplish this? The docs mention possibly doing this by checking TLS-Client-Cert-CN but I'm not sure where exactly I would do that. Thanks in advance, The CN is just a string. Check it like you would check any string. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TLS Check Cn Question
On May 26, 2011, at 1:25 AM, Alan DeKok wrote: David Mitchell wrote: currently I'm using the check_cert_cn option in my EAP-TLS setup. I think I may have the need to support two possible CN formats. Is there any way to do a conditional check? Your message contains the answer to that question. I don't think the eap.conf file is unlang interpreted so I don't think I can include full regexp or if-then conditionals can I? Is there some other way to accomplish this? The docs mention possibly doing this by checking TLS-Client-Cert-CN but I'm not sure where exactly I would do that. Thanks in advance, The CN is just a string. Check it like you would check any string. Well yes, that's true. I'm just not sure where the best place to put the check is since I don't believe eap.conf is unlang interpreted. Should it go into the sites-enabled/default post-auth section? That's really the piece that's not clear to me is where I can put the more sophisticated checks. I think I can write them once I have an idea of where to put them. Thanks in advance, -David Mitchell Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - | David Mitchell (mitch...@ucar.edu) Network Engineer IV | | Tel: (303) 497-1845 National Center for | | FAX: (303) 497-1818 Atmospheric Research | - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TLS Check Cn Question
David Mitchell wrote: Well yes, that's true. I'm just not sure where the best place to put the check is since I don't believe eap.conf is unlang interpreted. It's not. Should it go into the sites-enabled/default post-auth section? The comments and examples in the sites-enabled/default file are *already* in the post-auth section. What's the problem? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
TLS Check Cn Question
Greetings, currently I'm using the check_cert_cn option in my EAP-TLS setup. I think I may have the need to support two possible CN formats. Is there any way to do a conditional check? I don't think the eap.conf file is unlang interpreted so I don't think I can include full regexp or if-then conditionals can I? Is there some other way to accomplish this? The docs mention possibly doing this by checking TLS-Client-Cert-CN but I'm not sure where exactly I would do that. Thanks in advance, -David Mitchell - | David Mitchell (mitch...@ucar.edu) Network Engineer IV | | Tel: (303) 497-1845 National Center for | | FAX: (303) 497-1818 Atmospheric Research | - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html