Migration -> FR3 + CiscoAPs + Multiple SSID+ EAP-TLS +Multiple Certs

classic Classic list List threaded Threaded
2 messages Options
| Threaded
Open this post in threaded view
|

Migration -> FR3 + CiscoAPs + Multiple SSID+ EAP-TLS +Multiple Certs

thyde_rsi
>    Sure.  What you're looking for then, is more this:
>
> authorize {
> ...
> eap
> ...
> }
>
> authenticate {
> ...
> eap
> ...
> }
>
> post-auth {
> ...
>    if (MAC_LIMITED-SSID && EAP-CERT-01)
>      {
>          look up MAC
>          if !known MAC reject
>          if blocked MAC reject
>      }
> ...
> }
>
>
>    Which is pretty simple.  That assumes that both client certs are issued by the same CA.
Yes, the CA is under my control, (self signed) so no expected challenge
there.
>    Alan DeKok.
>
That said, how does the pseudo code get translated into unlang? I think
I understand a partial of  %{request:Cisco-AVPair[0]} would provide the
SSID (based upon looking at the freeradius -X trace where it scrolls by
first) but I am unsure about testing for the [certificate name?]. (I got
the above from 'man unlang'; hopefully an appropriate reference.) I
expect "real" data is now necessary to continue forward?

Thanks,
Ted.




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Migration -> FR3 + CiscoAPs + Multiple SSID+ EAP-TLS +Multiple Certs

Adam Bishop-2
On 30 Nov 2018, at 17:39, Ted Hyde (RSI) <[hidden email]> wrote:
> That said, how does the pseudo code get translated into unlang? I think I understand a partial of  %{request:Cisco-AVPair[0]} would provide the SSID (based upon looking at the freeradius -X trace where it scrolls by first) but I am unsure about testing for the [certificate name?]. (I got the above from 'man unlang'; hopefully an appropriate reference.) I expect "real" data is now necessary to continue forward?

For client certs, the EAP module extracts the certificate into into attributes you can test. There's some examples in the check-eap-tls virtual server:
  https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/raddb/sites-available/check-eap-tls

If you're talking about the CN of server cert, take a look at the check_cert_issuer option:
  https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/raddb/mods-available/eap#L300

Simplest way to get the SSID and client MAC is to look at the called/calling station id - the SSID is appended to the NAS' MAC in the Called-Station-ID, and the client MAC address should be in the Calling-Station-Id.

Adam Bishop

  gpg: E75B 1F92 6407 DFDF 9F1C  BF10 C993 2504 6609 D460

jisc.ac.uk

Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.

Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.  


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html