Discussion:
Migration -> FR3 + CiscoAPs + Multiple SSID+ EAP-TLS +Multiple Certs
(too old to reply)
Ted Hyde (RSI)
2018-11-30 17:39:04 UTC
Permalink
authorize {
...
eap
...
}
authenticate {
...
eap
...
}
post-auth {
...
if (MAC_LIMITED-SSID && EAP-CERT-01)
{
look up MAC
if !known MAC reject
if blocked MAC reject
}
...
}
Which is pretty simple. That assumes that both client certs are issued by the same CA.
Yes, the CA is under my control, (self signed) so no expected challenge
there.
Alan DeKok.
That said, how does the pseudo code get translated into unlang? I think
I understand a partial of  %{request:Cisco-AVPair[0]} would provide the
SSID (based upon looking at the freeradius -X trace where it scrolls by
first) but I am unsure about testing for the [certificate name?]. (I got
the above from 'man unlang'; hopefully an appropriate reference.) I
expect "real" data is now necessary to continue forward?

Thanks,
Ted.




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list
Adam Bishop
2018-11-30 19:40:46 UTC
Permalink
That said, how does the pseudo code get translated into unlang? I think I understand a partial of %{request:Cisco-AVPair[0]} would provide the SSID (based upon looking at the freeradius -X trace where it scrolls by first) but I am unsure about testing for the [certificate name?]. (I got the above from 'man unlang'; hopefully an appropriate reference.) I expect "real" data is now necessary to continue forward?
For client certs, the EAP module extracts the certificate into into attributes you can test. There's some examples in the check-eap-tls virtual server:
https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/raddb/sites-available/check-eap-tls

If you're talking about the CN of server cert, take a look at the check_cert_issuer option:
https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/raddb/mods-available/eap#L300

Simplest way to get the SSID and client MAC is to look at the called/calling station id - the SSID is appended to the NAS' MAC in the Called-Station-ID, and the client MAC address should be in the Calling-Station-Id.

Adam Bishop

gpg: E75B 1F92 6407 DFDF 9F1C BF10 C993 2504 6609 D460

jisc.ac.uk

Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.

Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list
Loading...