[RADIATOR] EAP-TLS question

Hugh Irvine hugh at open.com.au
Mon Mar 29 20:41:37 CDT 2010 

Hello Markus -

Apparently it is more complicated than that.

See for example: 

	http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn/ssl.c

	verify_cert_eku()

regards

Hugh


On 30 Mar 2010, at 07:57, Markus Moeller wrote:

> Hi Hugh
> 
>  I tried the below to check if the certificate is a certificate for client authentication.
> 
> #
> # EAPTLS_CertificateVerifyHook:
> #
> #   Check if certificate is for client authentication
> #
> #
> sub {
> 
> # Pointer to request structure
> my $p0 = $_[0]; # $matchdn
> my $p1 = $_[1]; # $x509_store_ctx
> my $p2 = $_[2]; # $cert
> my $p3 = $_[3]; # $subject_name
> my $p4 = $_[4]; # $subject
> my $p = $_[5]; # $p Radius Request
> 
> &main::log($main::LOG_DEBUG,"EAPTLS_CertificateVerifyHook DN: $p0");
> 
> my $usage =  &Net::SSLeay::X509_NAME_get_text_by_NID($p3, &Net::SSLeay::NID_ext_key_usage);
> 
> &main::log($main::LOG_DEBUG,"EAPTLS_CertificateVerifyHook result: $usage");
> 
> }
> 
> but I don't get the extented key usage info, which should show that the certificate is for "client authentication".
> 
> Mon Mar 29 15:46:47 2010: DEBUG: EAPTLS_CertificateVerifyHook DN: user at COMPANY.COM
> Mon Mar 29 15:46:47 2010: DEBUG: EAPTLS_CertificateVerifyHook result:
> 
> I would expect this to be checked by anyone who uses 802.1x.  Has someone an example how to do this check ?
> 
> Markus
> 
> 
> ----- Original Message ----- From: "Hugh Irvine" <hugh at open.com.au>
> To: "Markus Moeller" <huaraz at moeller.plus.com>
> Sent: Sunday, March 21, 2010 5:28 AM
> Subject: Re: [RADIATOR] EAP-TLS question
> 
> 
> 
> Hello Markus -
> 
> Radiator does not check the usage, but you can use an EAPTLS_CertificateVerifyHook to check if you wish.
> 
> See section 5.18.47 in the Radiator 4.6 reference manual ("doc/ref.pdf").
> 
> regards
> 
> Hugh
> 
> 
> On 20 Mar 2010, at 21:41, Markus Moeller wrote:
> 
>> Hi Hugh,
>> 
>>    Sorry I mean certificates have sometimes a usage e.g.
>> 
>> Encrypting File System (1.3.6.1.4.1.311.10.3.4)
>> 
>> Secure Email (1.3.6.1.5.5.7.3.4)
>> 
>> Smart Card Logon (1.3.6.1.4.1.311.20.2.2)
>> 
>> Client Authentication (1.3.6.1.5.5.7.3.2)
>> 
>> Server Authentication (1.3.6.1.5.5.7.3.1)
>> 
>> IP security IKE intermediate (1.3.6.1.5.5.8.2.2)
>> 
>> 
>>    So would radiator accept a certificate for EAP-TLS client authentication if the certificate has not the usage "Client Authentication" but only "Secure Email " ?
>> 
>> Markus
>> 
>> 
>> ----- Original Message ----- From: "Hugh Irvine" <hugh at open.com.au>
>> To: "Markus Moeller" <huaraz at moeller.plus.com>
>> Cc: <radiator at open.com.au>
>> Sent: Saturday, March 20, 2010 7:01 AM
>> Subject: Re: [RADIATOR] EAP-TLS question
>> 
>> 
>> 
>> Hello Markus -
>> 
>> I'm not exactly sure what you mean here, but yes Radiator uses Net-SSLeay/OpenSSL for most certificate operations.
>> 
>> regards
>> 
>> Hugh
>> 
>> 
>> On 20 Mar 2010, at 05:33, Markus Moeller wrote:
>> 
>>> Hi,
>>> 
>>> Does radiator verify the client certificate constraints or is that implicit done through the SSL  calls ?
>>> 
>>> Thank you
>>> Markus
>>> _______________________________________________
>>> radiator mailing list
>>> radiator at open.com.au
>>> http://www.open.com.au/mailman/listinfo/radiator
>> 
>> 
>> 
>> NB:
>> 
>> Have you read the reference manual ("doc/ref.html")?
>> Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
>> Have you had a quick look on Google (www.google.com)?
>> Have you included a copy of your configuration file (no secrets),
>> together with a trace 4 debug showing what is happening?
>> 
>> -- 
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>> Includes support for reliable RADIUS transport (RadSec),
>> and DIAMETER translation agent.
>> -
>> Nets: internetwork inventory and management - graphical, extensible,
>> flexible with hardware, software, platform and database independence.
>> -
>> CATool: Private Certificate Authority for Unix and Unix-like systems.
>> 
>> 
>> 
>> 
>> 
>> 
> 
> 
> 
> NB:
> 
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
> 
> -- 
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> Includes support for reliable RADIUS transport (RadSec),
> and DIAMETER translation agent.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
> 
> 
> 
> 
> 
> 



NB: 

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets), 
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

More information about the radiator mailing list