(RADIATOR) Incorect documentation of 5.18.44 EAPTLS_NoCheckId
mikem at open.com.au
Thu Jan 31 16:07:27 CST 2008
Im not sure what problem you are reporting here.
If EAPTLS_NoCheckId IS set in your configuration file, then Radiator should
not look up the database for the certificate username.
If EAPTLS_NoCheckId IS NOT set (the case you indicate below), then Radiator
should look up the certificate in the user database. The logs indicate that
this is indeed happening, and the user TLS+semik at cesnet.cz is not in the user
database, so the verification fails.
Or do I misunderstand your problem?
On Thursday 31 January 2008 21:09, Jan Tomasek wrote:
> documentation of EAPTLS_NoCheckId:
> > For EAP-TLS authentication, this optional parameter prevents the
> > comparison of the username with the certiﬁcate common name. The
> > certiﬁcate will be accepted based only on the validity dates and the
> > veriﬁcation chain to the root certiﬁcate, and there is no requirement
> > for the user to be in any Radiator user database. This allows Radiator
> > to mimic the behavior of some other RADIUS servers.
> When I remove EAPTLS_NoCheckId directive from my config I get this error:
> > Thu Jan 31 12:01:54 2008: DEBUG: Handling request with Handler
> > 'User-Name=/^TLS\+.+ at .+/' Thu Jan 31 12:01:54 2008: DEBUG: Deleting
> > session for TLS+semik at cesnet.cz, 127.0.0.1, Thu Jan 31 12:01:54 2008:
> > DEBUG: Handling with Radius::AuthFILE: Thu Jan 31 12:01:54 2008: DEBUG:
> > Handling with EAP: code 2, 4, 1308, 13 Thu Jan 31 12:01:54 2008: DEBUG:
> > Response type 13
> > Thu Jan 31 12:01:54 2008: DEBUG: Certificate Subject Name is
> > /C=CZ/ST=Czech
> > Republic/L=Prague/O=CESNET/CN=TLS+semik at cesnet.cz/unstructuredName=semice
> >k Thu Jan 31 12:01:54 2008: DEBUG: Matched certificate CN
> > TLS+semik at cesnet.cz with User-Name TLS+semik at cesnet.cz or identity
> > TLS+semik at cesnet.cz Thu Jan 31 12:01:54 2008: DEBUG: Reading users file
> > /usr/share/radiator/users Thu Jan 31 12:01:54 2008: ERR: Could not open
> > user database file /usr/share/radiator/users in Radius::AuthFILE: No such
> > file or directory Thu Jan 31 12:01:54 2008: INFO: EAP TLS Could not
> > authenticate user TLS+semik at cesnet.cz: User database access error
> So Radiator try to open user database which isn't present and in result
> request is rejected.
> I'm interested in behavior as is described in docs - that can be easily
> done in EAPTLS_CertiﬁcateVerifyHook.
> I'm not sure if I found bug in Radiator or just incomplete docs.
> Best regards
Mike McCauley mikem at open.com.au
Open System Consultants Pty. Ltd Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au
Phone +61 7 5598-7474 Fax +61 7 5598-7070
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP etc on Unix, Windows, MacOS, NetWare etc.
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator