[RADIATOR] EAP-TLS question
Markus Moeller
huaraz at moeller.plus.com
Mon Mar 29 15:57:07 CDT 2010
Hi Hugh
I tried the below to check if the certificate is a certificate for client
authentication.
#
# EAPTLS_CertificateVerifyHook:
#
# Check if certificate is for client authentication
#
#
sub {
# Pointer to request structure
my $p0 = $_[0]; # $matchdn
my $p1 = $_[1]; # $x509_store_ctx
my $p2 = $_[2]; # $cert
my $p3 = $_[3]; # $subject_name
my $p4 = $_[4]; # $subject
my $p = $_[5]; # $p Radius Request
&main::log($main::LOG_DEBUG,"EAPTLS_CertificateVerifyHook DN: $p0");
my $usage = &Net::SSLeay::X509_NAME_get_text_by_NID($p3,
&Net::SSLeay::NID_ext_key_usage);
&main::log($main::LOG_DEBUG,"EAPTLS_CertificateVerifyHook result:
$usage");
}
but I don't get the extented key usage info, which should show that the
certificate is for "client authentication".
Mon Mar 29 15:46:47 2010: DEBUG: EAPTLS_CertificateVerifyHook DN:
user at COMPANY.COM
Mon Mar 29 15:46:47 2010: DEBUG: EAPTLS_CertificateVerifyHook result:
I would expect this to be checked by anyone who uses 802.1x. Has someone an
example how to do this check ?
Markus
----- Original Message -----
From: "Hugh Irvine" <hugh at open.com.au>
To: "Markus Moeller" <huaraz at moeller.plus.com>
Sent: Sunday, March 21, 2010 5:28 AM
Subject: Re: [RADIATOR] EAP-TLS question
Hello Markus -
Radiator does not check the usage, but you can use an
EAPTLS_CertificateVerifyHook to check if you wish.
See section 5.18.47 in the Radiator 4.6 reference manual ("doc/ref.pdf").
regards
Hugh
On 20 Mar 2010, at 21:41, Markus Moeller wrote:
> Hi Hugh,
>
> Sorry I mean certificates have sometimes a usage e.g.
>
> Encrypting File System (1.3.6.1.4.1.311.10.3.4)
>
> Secure Email (1.3.6.1.5.5.7.3.4)
>
> Smart Card Logon (1.3.6.1.4.1.311.20.2.2)
>
> Client Authentication (1.3.6.1.5.5.7.3.2)
>
> Server Authentication (1.3.6.1.5.5.7.3.1)
>
> IP security IKE intermediate (1.3.6.1.5.5.8.2.2)
>
>
> So would radiator accept a certificate for EAP-TLS client
> authentication if the certificate has not the usage "Client
> Authentication" but only "Secure Email " ?
>
> Markus
>
>
> ----- Original Message ----- From: "Hugh Irvine" <hugh at open.com.au>
> To: "Markus Moeller" <huaraz at moeller.plus.com>
> Cc: <radiator at open.com.au>
> Sent: Saturday, March 20, 2010 7:01 AM
> Subject: Re: [RADIATOR] EAP-TLS question
>
>
>
> Hello Markus -
>
> I'm not exactly sure what you mean here, but yes Radiator uses
> Net-SSLeay/OpenSSL for most certificate operations.
>
> regards
>
> Hugh
>
>
> On 20 Mar 2010, at 05:33, Markus Moeller wrote:
>
>> Hi,
>>
>> Does radiator verify the client certificate constraints or is that
>> implicit done through the SSL calls ?
>>
>> Thank you
>> Markus
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
>
>
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive
> (www.open.com.au/archives/radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> Includes support for reliable RADIUS transport (RadSec),
> and DIAMETER translation agent.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
>
>
>
>
>
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive
(www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
More information about the radiator
mailing list