(RADIATOR) Incorect documentation of 5.18.44 EAPTLS_NoCheckId
jan at tomasek.cz
Thu Jan 31 05:09:03 CST 2008
documentation of EAPTLS_NoCheckId:
> For EAP-TLS authentication, this optional parameter prevents the
> comparison of the username with the certiﬁcate common name. The
> certiﬁcate will be accepted based only on the validity dates and the
> veriﬁcation chain to the root certiﬁcate, and there is no requirement
> for the user to be in any Radiator user database. This allows Radiator
> to mimic the behavior of some other RADIUS servers.
When I remove EAPTLS_NoCheckId directive from my config I get this error:
> Thu Jan 31 12:01:54 2008: DEBUG: Handling request with Handler 'User-Name=/^TLS\+.+ at .+/'
> Thu Jan 31 12:01:54 2008: DEBUG: Deleting session for TLS+semik at cesnet.cz, 127.0.0.1,
> Thu Jan 31 12:01:54 2008: DEBUG: Handling with Radius::AuthFILE:
> Thu Jan 31 12:01:54 2008: DEBUG: Handling with EAP: code 2, 4, 1308, 13
> Thu Jan 31 12:01:54 2008: DEBUG: Response type 13
> Thu Jan 31 12:01:54 2008: DEBUG: Certificate Subject Name is /C=CZ/ST=Czech Republic/L=Prague/O=CESNET/CN=TLS+semik at cesnet.cz/unstructuredName=semicek
> Thu Jan 31 12:01:54 2008: DEBUG: Matched certificate CN TLS+semik at cesnet.cz with User-Name TLS+semik at cesnet.cz or identity TLS+semik at cesnet.cz
> Thu Jan 31 12:01:54 2008: DEBUG: Reading users file /usr/share/radiator/users
> Thu Jan 31 12:01:54 2008: ERR: Could not open user database file /usr/share/radiator/users in Radius::AuthFILE: No such file or directory
> Thu Jan 31 12:01:54 2008: INFO: EAP TLS Could not authenticate user TLS+semik at cesnet.cz: User database access error
So Radiator try to open user database which isn't present and in result
request is rejected.
I'm interested in behavior as is described in docs - that can be easily
done in EAPTLS_CertiﬁcateVerifyHook.
I'm not sure if I found bug in Radiator or just incomplete docs.
Jan Tomasek aka Semik
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator