[RADIATOR] multiple EAP-TLS AuthBys

[Hartmaier Alexander]

That worked like a charm!
Thanks Heikki!

Is this because of historical reasons?

On 2014-02-04 14:54, Heikki Vatiainen wrote:
> On 02/03/2014 06:46 PM, Hartmaier Alexander wrote:
>
>>> You might be able to use EAPTLS_CertificateVerifyHook to check which CA
>>> matched. However, I have not checked in detail if this is possible. I
>>> would first see if the requests have any information that could help
>>> with Handler selection.
>> I already wrote a handler but the weird things are:
>> - $matchedcn is undefined. Is this because I'm doing AuthBy FILE with
>> AcceptIfMissing or because of EAPTLS_NoCheckId?
> I think it's because of EAPTLS_NoCheckId. There might be still a way to
> use EAPTLS_CertificateCerifyHook, even with this option enabled.
>
>> - I don't have access to the reply packed in the hook which makes
>> assigning a different value to the Tunnel-Private-Group-ID attribute
>> more complicated than necessary.
> You could use $p->{EAPContext} to store the information. It would then
> be available when the authentication finishes. The reply when the hook
> runs would be for Access-Challenge, not for the final Access-Accept.
>
> You could try this. In the EAPTLS_CertificateVerifyHook store the
> certificate issuer in the context and return for example, 'DEFAULT'.
I return the cert issuer's name as the return value isn't processed any
further.
I tried to put the radius reply attribute into the users file and create
one user per company but that didn't work out either.
>
> $_[5]->{EAPContext}->{cert_issuer} =
> Net::SSLeay::X509_NAME_oneline(Net::SSLeay::X509_get_issuer_name($_[2]));
I saw that $_[5]->{EAPContext} is a Radius::Context object. Is there an
API for hook added values so I don't accidentally overwrite a Radiator
internal attribute?

>
> In PostAuthHook map the issuer name to VLAN id when the result is
> ACCEPT. Then use $rp->add_attr() to add Tunnel-Private-Group-ID with the
> value off VLAN id.
The one odd thing is that some hooks like for example the PostAuthHook
get their params as references which doesn't allow
my ($p, $rp, $result) = @_;
but you have to derefernce them instead like
my $p = ${$p};
>
> This might work especially if there are not too many issuers and issuer
> is enough to establish which CA is used. Otherwise more complete
> certificate chain walk would be required.
I have only the direct issuing certs in the cert directory, so I don't
have to check the cert chain.
>
> Thanks,
> Heikki
>



*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*