1 # This virtual server allows EAP-TLS to reject access requests
2 # based on some attributes of the certificates involved.
4 # To use this virtual server, you must enable it in the tls
5 # section of mods-enabled/eap as well as adding a link to this
6 # file in sites-enabled/.
9 # Value-pairs that are available for checking include:
11 # TLS-Client-Cert-Subject
12 # TLS-Client-Cert-Issuer
13 # TLS-Client-Cert-Common-Name
14 # TLS-Client-Cert-Subject-Alt-Name-Email
16 # To see a full list of attributes, run the server in debug mode
17 # with this virtual server configured, and look at the attributes
18 # passed in to this virtual server.
21 # This virtual server is also useful when using EAP-TLS as it is
22 # only called once, just before the final Accept is about to be
23 # returned from eap, whereas the outer authorize section is called
24 # multiple times for each challenge / response. For this reason,
25 # here may be a good location to put authentication logging, and
26 # modules that check for further authorization, especially if they
27 # hit external services such as sql or ldap.
30 server check-eap-tls {
33 # Authorize - this is the only section required.
35 # To accept the access request, set Auth-Type = Accept, otherwise
41 # By default, we just accept the request:
49 # Check the client certificate matches a string, and reject otherwise
52 # if ("%{TLS-Client-Cert-Common-Name}" == 'client.example.com') {
54 # &Auth-Type := Accept
59 # &Auth-Type := Reject
62 # &Reply-Message := "Your certificate is not valid."
68 # Check the client certificate common name against the supplied User-Name
70 # if (&User-Name == "host/%{TLS-Client-Cert-Common-Name}") {
72 # &Auth-Type := Accept
77 # &Auth-Type := Reject
83 # This is a convenient place to call LDAP, for example, when using
84 # EAP-TLS, as it will only be called once, after all certificates as
85 # part of the EAP-TLS challenge process have been verified.
87 # An example could be to use LDAP to check that the connecting host, as
88 # well as presenting a valid certificate, is also in a group based on
89 # the User-Name (assuming this contains the service principal name).
90 # Settings such as the following could be used in the ldap module
93 # basedn = "dc=example, dc=com"
94 # filter = "(servicePrincipalName=%{User-Name})"
95 # base_filter = "(objectClass=computer)"
96 # groupname_attribute = cn
97 # groupmembership_filter = "(&(objectClass=group)(member=%{control:Ldap-UserDn}))"
101 # Now let's test membership of an LDAP group (the ldap bind user will
102 # need permission to read this group membership):
104 # if (!(Ldap-Group == "Permitted-Laptops")) {
106 # &Auth-Type := Reject
110 # or, to be more specific, you could use the group's full DN:
111 # if (!(Ldap-Group == "CN=Permitted-Laptops,OU=Groups,DC=example,DC=org")) {
115 # This may be a better place to call the files modules when using
116 # EAP-TLS, as it will only be called once, after the challenge-response
117 # iteration has completed.
124 # Log all request attributes, plus TLS certificate details, to the
125 # auth_log file. Again, this is just once per connection request, so
126 # may be preferable than in the outer authorize section. It is
127 # suggested that 'auth_log' also be in the outer post-auth and
128 # Post-Auth REJECT sections to log reply packet details, too.