[RADIATOR] multiple EAP-TLS AuthBys
Heikki Vatiainen
hvn at open.com.au
Tue Feb 4 07:54:00 CST 2014
On 02/03/2014 06:46 PM, Hartmaier Alexander wrote:
>> You might be able to use EAPTLS_CertificateVerifyHook to check which CA
>> matched. However, I have not checked in detail if this is possible. I
>> would first see if the requests have any information that could help
>> with Handler selection.
> I already wrote a handler but the weird things are:
> - $matchedcn is undefined. Is this because I'm doing AuthBy FILE with
> AcceptIfMissing or because of EAPTLS_NoCheckId?
I think it's because of EAPTLS_NoCheckId. There might be still a way to
use EAPTLS_CertificateCerifyHook, even with this option enabled.
> - I don't have access to the reply packed in the hook which makes
> assigning a different value to the Tunnel-Private-Group-ID attribute
> more complicated than necessary.
You could use $p->{EAPContext} to store the information. It would then
be available when the authentication finishes. The reply when the hook
runs would be for Access-Challenge, not for the final Access-Accept.
You could try this. In the EAPTLS_CertificateVerifyHook store the
certificate issuer in the context and return for example, 'DEFAULT'.
$_[5]->{EAPContext}->{cert_issuer} =
Net::SSLeay::X509_NAME_oneline(Net::SSLeay::X509_get_issuer_name($_[2]));
In PostAuthHook map the issuer name to VLAN id when the result is
ACCEPT. Then use $rp->add_attr() to add Tunnel-Private-Group-ID with the
value off VLAN id.
This might work especially if there are not too many issuers and issuer
is enough to establish which CA is used. Otherwise more complete
certificate chain walk would be required.
Thanks,
Heikki
--
Heikki Vatiainen <hvn at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
More information about the radiator
mailing list