Add verify_tls_client_common_name policy

author Alan T. DeKok <aland@freeradius.org>

Mon, 22 Mar 2021 19:34:00 +0000 (15:34 -0400)

committer Alan T. DeKok <aland@freeradius.org>

Mon, 22 Mar 2021 19:57:32 +0000 (15:57 -0400)
author Alan T. DeKok <aland@freeradius.org>
Mon, 22 Mar 2021 19:34:00 +0000 (15:34 -0400)
committer Alan T. DeKok <aland@freeradius.org>
Mon, 22 Mar 2021 19:57:32 +0000 (15:57 -0400)
diff --git a/raddb/policy.d/eap b/raddb/policy.d/eap

index 0718eab511759648d7b326a0c3f15c42fd73673f..f1abfbc6829735c930b340d7a1e57015e1d4a318 100644 (file)
--- a/raddb/policy.d/eap
+++ b/raddb/policy.d/eap
@@ -83,3 +83,8 @@ remove_reply_message_if_eap {
         }
  }
  
+verify_tls_client_common_name {
+       if (&TLS-Client-Cert-Common-Name && (&TLS-Client-Cert-Common-Name != &User-Name)) {
+               reject
+       }
+}
diff --git a/raddb/sites-available/default b/raddb/sites-available/default

index 8a758e692ba44534dbe6b7051362cd10f0546148..6d0318a9b9f4724fb8bb900792ba970c82b0de10 100644 (file)
--- a/raddb/sites-available/default
+++ b/raddb/sites-available/default
@@ -872,6 +872,14 @@ post-auth {
         #  Remove reply message if the response contains an EAP-Message
         remove_reply_message_if_eap
  
+       #
+       #  Reject packets where User-Name != TLS-Client-Cert-Common-Name
+       #  There is no reason for users to lie about their names.
+       #
+       #  In general, User-Name == EAP Identity == TLS-Client-Cert-Common-Name
+       #
+#      verify_tls_client_common_name
+
         #
         #  Access-Reject packets are sent through the REJECT sub-section of the
         #  post-auth section.
author	Alan T. DeKok <aland@freeradius.org>
	Mon, 22 Mar 2021 19:34:00 +0000 (15:34 -0400)
committer	Alan T. DeKok <aland@freeradius.org>
	Mon, 22 Mar 2021 19:57:32 +0000 (15:57 -0400)
raddb/policy.d/eap		patch \| blob \| blame \| history
raddb/sites-available/default		patch \| blob \| blame \| history