more documentation for EAP-TLS

diff --git a/raddb/policy.d/eap b/raddb/policy.d/eap
index f1abfbc6829735c930b340d7a1e57015e1d4a318..17cf87331cd0c8579f8e9eef0cc07c7f5df0da38 100644 (file)
--- a/raddb/policy.d/eap
+++ b/raddb/policy.d/eap
@@ -84,7 +84,14 @@ remove_reply_message_if_eap {
 }
 
 verify_tls_client_common_name {
-       if (&TLS-Client-Cert-Common-Name && (&TLS-Client-Cert-Common-Name != &User-Name)) {
+       #
+       #  If the User-Name is anonymized, then don't check it.
+       #
+       #  But if User-Name is realm AND there's a certificate name, then check
+       #  if they match.  This is not always the case, but it is the case
+       #  often enough that it matters.
+       #
+       if ((&User-Name !~ /^@/) && &TLS-Client-Cert-Common-Name && (&TLS-Client-Cert-Common-Name != &User-Name)) {
                reject
        }
 }

diff --git a/raddb/sites-available/default b/raddb/sites-available/default
index 6d0318a9b9f4724fb8bb900792ba970c82b0de10..868772ae8cef6f271d66a6422fd118c70700057e 100644 (file)
--- a/raddb/sites-available/default
+++ b/raddb/sites-available/default
@@ -723,6 +723,48 @@ post-auth {
 #              update reply {
 #                      State := "0x%{randstr:16h}"
 #              }
+#      }
+
+       #
+       #  Reject packets where User-Name != TLS-Client-Cert-Common-Name
+       #  There is no reason for users to lie about their names.
+       #
+       #  In general, User-Name == EAP Identity == TLS-Client-Cert-Common-Name
+       #
+#      verify_tls_client_common_name
+
+       #
+       #  If there is no Stripped-User-Name in the request, AND we have a client cert,
+       #  then create a Stripped-User-Name from the TLS client certificate information.
+       #
+       #  Note that this policy MUST be edited for your local system!
+       #  We do not know which fields exist in which certificate, as
+       #  there is no standard here.  There is no way for us to have
+       #  a default configuration which "just works" everywhere.  We
+       #  can only make recommendations.
+       #
+       #  The Stripped-User-Name is updated so that it is logged in
+       #  the various "username" fields.  This logging means that you
+       #  can associate a particular session with a particular client
+       #  certificate.
+       #
+#      if (&EAP-Message && !&Stripped-User-Name && &TLS-Client-Cert-Serial) {
+#              update request {
+#                      &Stripped-User-Name := "%{%{TLS-Client-Cert-Subject-Alt-Name-Email}:-%{%{TLS-Client-Cert-Common-Name}:-%{TLS-Client-Cert-Serial}}}"
+#              }
+#
+               #
+               #  Create a Class attribute which is a hash of a bunch
+               #  of information which we hope exists.  This
+               #  attribute should be echoed back in
+               #  Accounting-Request packets, which will let the
+               #  administrator correlate authentication and
+               #  accounting.
+               #
+#              update reply {
+#                      Class += "%{md5:%{Calling-Station-Id}%{Called-Station-Id}%{TLS-Client-Cert-Subject-Alt-Name-Email}%{TLS-Client-Cert-Common-Name}%{TLS-Client-Cert-Serial}%{NAS-IPv6-Address}%{NAS-IP-Address}%{NAS-Identifier}%{NAS-Port}"
+               }
+#
 #      }
 
        #
@@ -872,14 +914,6 @@ post-auth {
        #  Remove reply message if the response contains an EAP-Message
        remove_reply_message_if_eap
 
-       #
-       #  Reject packets where User-Name != TLS-Client-Cert-Common-Name
-       #  There is no reason for users to lie about their names.
-       #
-       #  In general, User-Name == EAP Identity == TLS-Client-Cert-Common-Name
-       #
-#      verify_tls_client_common_name
-
        #
        #  Access-Reject packets are sent through the REJECT sub-section of the
        #  post-auth section.