(RADIATOR) Incorect documentation of 5.18.44 EAPTLS_NoCheckId

Jan Tomasek jan at tomasek.cz
Thu Jan 31 05:09:03 CST 2008 

Hi,

documentation of EAPTLS_NoCheckId:

 > For EAP-TLS authentication, this optional parameter prevents the
 > comparison of the username with the certificate common name. The
 > certificate will be accepted based only on the validity dates and the
 > verification chain to the root certificate, and there is no requirement
 > for the user to be in any Radiator user database. This allows Radiator
 > to mimic the behavior of some other RADIUS servers.

When I remove EAPTLS_NoCheckId directive from my config I get this error:

> Thu Jan 31 12:01:54 2008: DEBUG: Handling request with Handler 'User-Name=/^TLS\+.+ at .+/'
> Thu Jan 31 12:01:54 2008: DEBUG:  Deleting session for TLS+semik at cesnet.cz, 127.0.0.1, 
> Thu Jan 31 12:01:54 2008: DEBUG: Handling with Radius::AuthFILE: 
> Thu Jan 31 12:01:54 2008: DEBUG: Handling with EAP: code 2, 4, 1308, 13
> Thu Jan 31 12:01:54 2008: DEBUG: Response type 13
> Thu Jan 31 12:01:54 2008: DEBUG: Certificate Subject Name is /C=CZ/ST=Czech Republic/L=Prague/O=CESNET/CN=TLS+semik at cesnet.cz/unstructuredName=semicek
> Thu Jan 31 12:01:54 2008: DEBUG: Matched certificate CN TLS+semik at cesnet.cz with User-Name TLS+semik at cesnet.cz or identity TLS+semik at cesnet.cz
> Thu Jan 31 12:01:54 2008: DEBUG: Reading users file /usr/share/radiator/users
> Thu Jan 31 12:01:54 2008: ERR: Could not open user database file /usr/share/radiator/users in Radius::AuthFILE: No such file or directory
> Thu Jan 31 12:01:54 2008: INFO: EAP TLS Could not authenticate user TLS+semik at cesnet.cz: User database access error

So Radiator try to open user database which isn't present and in result 
request is rejected.

I'm interested in behavior as is described in docs - that can be easily 
done in EAPTLS_CertificateVerifyHook.

I'm not sure if I found bug in Radiator or just incomplete docs.

Best regards
-- 
-----------------------
Jan Tomasek aka Semik
http://www.tomasek.cz/

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list