[RADIATOR] EAP TLS checks
Heikki Vatiainen
hvn at open.com.au
Mon Jul 19 07:42:12 UTC 2021
On 15.7.2021 15.50, Markus Moeller wrote:
> I am working on 802.1x device authentication using machine
> certificates and see messages that the username does not match the CN.
>
> Which RFC defines the passing of the hostname into the Radius
> username field and where is defined that the radius username must match
> the CN ( with or without the host/ prefix) ?
I think RADIUS User-Name contents are copied from EAP Response/Identity
by the Authenticator, such as WLAN controller. This happens when the
Authenticator creates a RADIUS request. There's a brief mention of this
in IEEE 802.1X section D.3.1. I don't think any RFC says anything
about this. When a Windows host does machine authentication, the prefix
'host/' is done by the Windows Supplicant (EAP-TLS client implementation).
Matching User-Name or EAP identity seems to come from the first EAP-TLS
RFC. The matching covers both Subject CN and subjectAltNames, therefore
if you see a log message about 'certificate subject' not matching 'user
name', it means that it did not match Subject CN or any of
subjectAltNames that have type of otherName or email.
Because 'host/' prefix is a kind of decoration that's not part of the
identity, it's dropped before a match is attempted.
The current EAP-TLS RFC, and the upcoming RFC for EAP-TLS with TLSv1.3
that updates the current RFC, do not require this.
Thanks,
Heikki
--
Heikki Vatiainen <hvn at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, TACACS+, PAM, Active Directory,
EAP, TLS, TTLS, PEAP, WiMAX, RSA, Vasco, Yubikey, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, etc.
More information about the radiator
mailing list