From: Alan T. DeKok <aland@freeradius.org>
Date: Mon, 22 Mar 2021 19:34:00 +0000 (-0400)
Subject: Add verify_tls_client_common_name policy
X-Git-Tag: release_3_0_22~148
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=258d92abcf3f3e09a3df6e4314dce810a255f478;p=thirdparty%2Ffreeradius-server.git

Add verify_tls_client_common_name policy
---

diff --git a/raddb/policy.d/eap b/raddb/policy.d/eap
index 0718eab511..f1abfbc682 100644
--- a/raddb/policy.d/eap
+++ b/raddb/policy.d/eap
@@ -83,3 +83,8 @@ remove_reply_message_if_eap {
 	}
 }
 
+verify_tls_client_common_name {
+	if (&TLS-Client-Cert-Common-Name && (&TLS-Client-Cert-Common-Name != &User-Name)) {
+		reject
+	}
+}
diff --git a/raddb/sites-available/default b/raddb/sites-available/default
index 8a758e692b..6d0318a9b9 100644
--- a/raddb/sites-available/default
+++ b/raddb/sites-available/default
@@ -872,6 +872,14 @@ post-auth {
 	#  Remove reply message if the response contains an EAP-Message
 	remove_reply_message_if_eap
 
+	#
+	#  Reject packets where User-Name != TLS-Client-Cert-Common-Name
+	#  There is no reason for users to lie about their names.
+	#
+	#  In general, User-Name == EAP Identity == TLS-Client-Cert-Common-Name
+	#
+#	verify_tls_client_common_name
+
 	#
 	#  Access-Reject packets are sent through the REJECT sub-section of the
 	#  post-auth section.