UPDATE:
I tryed with the expr plugin to sanitize and mangle the User-Name sent
from StrongSwan plugin eap-radius with EAP-TLS.
eg
...
update request {
&Tmp-String-8 := "%{escape:%{&User-Name}}"
&User-Name := &Tmp-String-8
but this leads to an senseful eap error in freeradius:
(1) eap: Identity does not match User-Name, setting from EAP Identity
1) eap: Failed in handler
(1) [eap] = invalid
Therefore if you will handle this raw parsed ASN.1-username from
strongswan-plugin eap-radius you need far more effort.
Because of time constrainst I will run with the hack disabling the
whitespace and suffix checks.
But I have to replace many cisco ASAs with open source, therefore it
would be nice if the strongswan developer can thought about suitable
configuration options in eap-radius.conf.
Eg in cisco asa, in the tunnel-group you can select how the username
sent to the AAA server is generated from the user certificate,
username-from-certificate CN|OU|use-entire-name|use-script ..
--
stefanh
Ingenieurbuero fuer IT/EDV und Netzwerktechnik - Stefan Hartmann
On 03.03.20 21:04, Stefan Hartmann wrote:
Hi,
thank you for yout thoughts.
Yes this is a workaround, I created policy.d/strongswan with
filter_username_custom in it.
But it would be nice to have a readable and sanitized subject DN as
User-Name attribute.
And what about proxying the request to another home-server with ASN.1
raw hex User-Name.
Eventuelly I will test EAP-TLS with cisco IOS or ASA and look how they
mangle the username.
