From: Alan T. DeKok Date: Thu, 1 Apr 2021 21:22:44 +0000 (-0400) Subject: more documentation for EAP-TLS X-Git-Tag: release_3_0_22~129 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8f85e9a8d354f94e1007d21058a85983d81a07ce;p=thirdparty%2Ffreeradius-server.git more documentation for EAP-TLS --- diff --git a/raddb/policy.d/eap b/raddb/policy.d/eap index f1abfbc682..17cf87331c 100644 --- a/raddb/policy.d/eap +++ b/raddb/policy.d/eap @@ -84,7 +84,14 @@ remove_reply_message_if_eap { } verify_tls_client_common_name { - if (&TLS-Client-Cert-Common-Name && (&TLS-Client-Cert-Common-Name != &User-Name)) { + # + # If the User-Name is anonymized, then don't check it. + # + # But if User-Name is realm AND there's a certificate name, then check + # if they match. This is not always the case, but it is the case + # often enough that it matters. + # + if ((&User-Name !~ /^@/) && &TLS-Client-Cert-Common-Name && (&TLS-Client-Cert-Common-Name != &User-Name)) { reject } } diff --git a/raddb/sites-available/default b/raddb/sites-available/default index 6d0318a9b9..868772ae8c 100644 --- a/raddb/sites-available/default +++ b/raddb/sites-available/default @@ -723,6 +723,48 @@ post-auth { # update reply { # State := "0x%{randstr:16h}" # } +# } + + # + # Reject packets where User-Name != TLS-Client-Cert-Common-Name + # There is no reason for users to lie about their names. + # + # In general, User-Name == EAP Identity == TLS-Client-Cert-Common-Name + # +# verify_tls_client_common_name + + # + # If there is no Stripped-User-Name in the request, AND we have a client cert, + # then create a Stripped-User-Name from the TLS client certificate information. + # + # Note that this policy MUST be edited for your local system! + # We do not know which fields exist in which certificate, as + # there is no standard here. There is no way for us to have + # a default configuration which "just works" everywhere. We + # can only make recommendations. + # + # The Stripped-User-Name is updated so that it is logged in + # the various "username" fields. This logging means that you + # can associate a particular session with a particular client + # certificate. + # +# if (&EAP-Message && !&Stripped-User-Name && &TLS-Client-Cert-Serial) { +# update request { +# &Stripped-User-Name := "%{%{TLS-Client-Cert-Subject-Alt-Name-Email}:-%{%{TLS-Client-Cert-Common-Name}:-%{TLS-Client-Cert-Serial}}}" +# } +# + # + # Create a Class attribute which is a hash of a bunch + # of information which we hope exists. This + # attribute should be echoed back in + # Accounting-Request packets, which will let the + # administrator correlate authentication and + # accounting. + # +# update reply { +# Class += "%{md5:%{Calling-Station-Id}%{Called-Station-Id}%{TLS-Client-Cert-Subject-Alt-Name-Email}%{TLS-Client-Cert-Common-Name}%{TLS-Client-Cert-Serial}%{NAS-IPv6-Address}%{NAS-IP-Address}%{NAS-Identifier}%{NAS-Port}" + } +# # } # @@ -872,14 +914,6 @@ post-auth { # Remove reply message if the response contains an EAP-Message remove_reply_message_if_eap - # - # Reject packets where User-Name != TLS-Client-Cert-Common-Name - # There is no reason for users to lie about their names. - # - # In general, User-Name == EAP Identity == TLS-Client-Cert-Common-Name - # -# verify_tls_client_common_name - # # Access-Reject packets are sent through the REJECT sub-section of the # post-auth section.