(RADIATOR) Incorect documentation of 5.18.44 EAPTLS_NoCheckId

Mike McCauley mikem at open.com.au
Thu Jan 31 16:07:27 CST 2008


Hello Jan,

Im not sure what problem you are reporting here.

If EAPTLS_NoCheckId IS set in your configuration file, then Radiator should 
not look up the database for the certificate username.

If EAPTLS_NoCheckId IS NOT set (the case you indicate below), then Radiator 
should look up the certificate in the user database. The logs indicate that 
this is indeed happening, and the user TLS+semik at cesnet.cz is not in the user 
database, so the verification fails.

Or do I misunderstand your problem?

Cheers.


On Thursday 31 January 2008 21:09, Jan Tomasek wrote:
> Hi,
>
> documentation of EAPTLS_NoCheckId:
>  > For EAP-TLS authentication, this optional parameter prevents the
>  > comparison of the username with the certificate common name. The
>  > certificate will be accepted based only on the validity dates and the
>  > verification chain to the root certificate, and there is no requirement
>  > for the user to be in any Radiator user database. This allows Radiator
>  > to mimic the behavior of some other RADIUS servers.
>
> When I remove EAPTLS_NoCheckId directive from my config I get this error:
> > Thu Jan 31 12:01:54 2008: DEBUG: Handling request with Handler
> > 'User-Name=/^TLS\+.+ at .+/' Thu Jan 31 12:01:54 2008: DEBUG:  Deleting
> > session for TLS+semik at cesnet.cz, 127.0.0.1, Thu Jan 31 12:01:54 2008:
> > DEBUG: Handling with Radius::AuthFILE: Thu Jan 31 12:01:54 2008: DEBUG:
> > Handling with EAP: code 2, 4, 1308, 13 Thu Jan 31 12:01:54 2008: DEBUG:
> > Response type 13
> > Thu Jan 31 12:01:54 2008: DEBUG: Certificate Subject Name is
> > /C=CZ/ST=Czech
> > Republic/L=Prague/O=CESNET/CN=TLS+semik at cesnet.cz/unstructuredName=semice
> >k Thu Jan 31 12:01:54 2008: DEBUG: Matched certificate CN
> > TLS+semik at cesnet.cz with User-Name TLS+semik at cesnet.cz or identity
> > TLS+semik at cesnet.cz Thu Jan 31 12:01:54 2008: DEBUG: Reading users file
> > /usr/share/radiator/users Thu Jan 31 12:01:54 2008: ERR: Could not open
> > user database file /usr/share/radiator/users in Radius::AuthFILE: No such
> > file or directory Thu Jan 31 12:01:54 2008: INFO: EAP TLS Could not
> > authenticate user TLS+semik at cesnet.cz: User database access error
>
> So Radiator try to open user database which isn't present and in result
> request is rejected.
>
> I'm interested in behavior as is described in docs - that can be easily
> done in EAPTLS_CertificateVerifyHook.
>
> I'm not sure if I found bug in Radiator or just incomplete docs.
>
> Best regards

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS, NetWare etc.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list