[RADIATOR] EAP-TLS question

Markus Moeller huaraz at moeller.plus.com
Mon Mar 29 15:57:07 CDT 2010


Hi Hugh

   I tried the below to check if the certificate is a certificate for client 
authentication.

#
# EAPTLS_CertificateVerifyHook:
#
#   Check if certificate is for client authentication
#
#
sub {

# Pointer to request structure
  my $p0 = $_[0]; # $matchdn
  my $p1 = $_[1]; # $x509_store_ctx
  my $p2 = $_[2]; # $cert
  my $p3 = $_[3]; # $subject_name
  my $p4 = $_[4]; # $subject
  my $p = $_[5]; # $p Radius Request

  &main::log($main::LOG_DEBUG,"EAPTLS_CertificateVerifyHook DN: $p0");

  my $usage =  &Net::SSLeay::X509_NAME_get_text_by_NID($p3, 
&Net::SSLeay::NID_ext_key_usage);

  &main::log($main::LOG_DEBUG,"EAPTLS_CertificateVerifyHook result: 
$usage");

}

but I don't get the extented key usage info, which should show that the 
certificate is for "client authentication".

Mon Mar 29 15:46:47 2010: DEBUG: EAPTLS_CertificateVerifyHook DN: 
user at COMPANY.COM
Mon Mar 29 15:46:47 2010: DEBUG: EAPTLS_CertificateVerifyHook result:

I would expect this to be checked by anyone who uses 802.1x.  Has someone an 
example how to do this check ?

Markus


----- Original Message ----- 
From: "Hugh Irvine" <hugh at open.com.au>
To: "Markus Moeller" <huaraz at moeller.plus.com>
Sent: Sunday, March 21, 2010 5:28 AM
Subject: Re: [RADIATOR] EAP-TLS question



Hello Markus -

Radiator does not check the usage, but you can use an 
EAPTLS_CertificateVerifyHook to check if you wish.

See section 5.18.47 in the Radiator 4.6 reference manual ("doc/ref.pdf").

regards

Hugh


On 20 Mar 2010, at 21:41, Markus Moeller wrote:

> Hi Hugh,
>
>     Sorry I mean certificates have sometimes a usage e.g.
>
> Encrypting File System (1.3.6.1.4.1.311.10.3.4)
>
> Secure Email (1.3.6.1.5.5.7.3.4)
>
> Smart Card Logon (1.3.6.1.4.1.311.20.2.2)
>
> Client Authentication (1.3.6.1.5.5.7.3.2)
>
> Server Authentication (1.3.6.1.5.5.7.3.1)
>
> IP security IKE intermediate (1.3.6.1.5.5.8.2.2)
>
>
>     So would radiator accept a certificate for EAP-TLS client 
> authentication if the certificate has not the usage "Client 
> Authentication" but only "Secure Email " ?
>
> Markus
>
>
> ----- Original Message ----- From: "Hugh Irvine" <hugh at open.com.au>
> To: "Markus Moeller" <huaraz at moeller.plus.com>
> Cc: <radiator at open.com.au>
> Sent: Saturday, March 20, 2010 7:01 AM
> Subject: Re: [RADIATOR] EAP-TLS question
>
>
>
> Hello Markus -
>
> I'm not exactly sure what you mean here, but yes Radiator uses 
> Net-SSLeay/OpenSSL for most certificate operations.
>
> regards
>
> Hugh
>
>
> On 20 Mar 2010, at 05:33, Markus Moeller wrote:
>
>> Hi,
>>
>>  Does radiator verify the client certificate constraints or is that 
>> implicit done through the SSL  calls ?
>>
>> Thank you
>> Markus
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
>
>
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive 
> (www.open.com.au/archives/radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
> -- 
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> Includes support for reliable RADIUS transport (RadSec),
> and DIAMETER translation agent.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
>
>
>
>
>



NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive 
(www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.








More information about the radiator mailing list