[strongSwan] StrongSwan eap-radius with EAP-TLS, ASN.1 Radius-Username
Stefan Hartmann
stefanh at hafenthal.de
Thu Mar 5 10:58:25 CET 2020
UPDATE:
I tryed with the expr plugin to sanitize and mangle the User-Name sent
from StrongSwan plugin eap-radius with EAP-TLS.
eg
...
update request {
&Tmp-String-8 := "%{escape:%{&User-Name}}"
&User-Name := &Tmp-String-8
but this leads to an senseful eap error in freeradius:
(1) eap: Identity does not match User-Name, setting from EAP Identity
1) eap: Failed in handler
(1) [eap] = invalid
Therefore if you will handle this raw parsed ASN.1-username from
strongswan-plugin eap-radius you need far more effort.
Because of time constrainst I will run with the hack disabling the
whitespace and suffix checks.
But I have to replace many cisco ASAs with open source, therefore it
would be nice if the strongswan developer can thought about suitable
configuration options in eap-radius.conf.
Eg in cisco asa, in the tunnel-group you can select how the username
sent to the AAA server is generated from the user certificate,
username-from-certificate CN|OU|use-entire-name|use-script ..
--
stefanh
Ingenieurbuero fuer IT/EDV und Netzwerktechnik - Stefan Hartmann
On 03.03.20 21:04, Stefan Hartmann wrote:
> Hi,
>
> thank you for yout thoughts.
>
> Yes this is a workaround, I created policy.d/strongswan with
> filter_username_custom in it.
>
> But it would be nice to have a readable and sanitized subject DN as
> User-Name attribute.
>
> And what about proxying the request to another home-server with ASN.1
> raw hex User-Name.
>
> Eventuelly I will test EAP-TLS with cisco IOS or ASA and look how they
> mangle the username.
>
>
More information about the Users
mailing list