[RADIATOR] Extracting certificates info for EAP PEAP,TTLS,TLS

Thu Feb 19 01:31:38 CST 2015

Hi,

I would like some advice on how to balance my options with a customer
setup I have been building.

This setup has both tunneled EAP PEAP and TTLS and non tunneled TLS
based host authentication.

There is both a mschap based EAP authentication followed by an SQL based
authorisation clause.

The basic structure is as follows:

     <AuthBy SQL>
 	Identifier SQLauthenticate
 	# mschap2 authentication
     </AuthBy SQL>

     <AuthBy SQL>
 	Identifier SQLauthorize
 	# sql based authorisation
 	NoEAP
     </AuthBy SQL>

     <Handler TunnelledByPEAP=1>
 	Identifier 	PEAP
 	AuthByPolicy	ContinueWhileAccept
 	AuthBy		SQLauthenticate
 	AuthBy		SQLauthorize
     </Handler>

     <Handler TunnelledByTTLS=1>
 	Identifier 	TTLS
 	AuthByPolicy 	ContinueWhileAccept
 	AuthBy		SQLauthenticate
 	AuthBy		SQLauthorize
     </Handler>

     # EAP TLS based host authentication
     <Handler User-Name = /host/>
 	Identifier 	TLS
 	AuthBy		FILE
 	AuthBy		SQLauthorize
     </Handler>

     <Handler>
 	Identifier 	Outer
 	AuthBy		EAPouterHandler
     </Handler>

First question:
---------------

The fun starts as the customer needs varius data from the client
certificates that we can extract in various hooks.

We have used the handler postAuthHook to access the peer certificate
in the eap context and subsequently extract the issuer name and
certificate policy from it and stick the data into the request.

The dilemma ist that postAuthHook is too late to use the extracted
data in the SQLauthorize clause.

We would also not like to delegate the authorisation logic to
the postauthhook.  The authorisation is basically a psql stored
procedure that encapsulates all the business logic.  I would like to
keep it visible in the configuration and not hidden in a hook.

We were successfull in extracting the certificate in the inner handlers
preauthhook as the certifcate has been extracted in the outer handler
and is available at this point.

This does not work for EAP TLS though as TLS is not tunneled.

I could propably use one of the hooks in EAP_13 (TLS) like perhaps
EAPTLS_CertificateVerifyHook to handle the TLS cass and the
preHandlerHook for the tunneled methods.

On the other hand I could propably patch the EAP PEAP,TTLS,TLS handlers
and provide a generic way to map certificate data into the request.

Do you have any advice on how to best handle this.

Second question:
----------------

We would also need the User and realm from the inner eap identity in
above authorisation clauses.  How could those best be accessed.  The
autorisation clauses use NoEAP in order to not interfere with the
EAP challenge authentication.  So the usual variables seem to have the
outer identity.

Greetings
Christian

-- 
Christian Kratzer                   CK Software GmbH
Email:   ck at cksoft.de               Wildberger Weg 24/2
Phone:   +49 7032 893 997 - 0       D-71126 Gaeufelden
Fax:     +49 7032 893 997 - 9       HRB 245288, Amtsgericht Stuttgart
Mobile:  +49 171 1947 843           Geschaeftsfuehrer: Christian Kratzer
Web:     http://www.cksoft.de/