Bug #11054

Check Client Certificate CN not working as described
0%
Description
Page: Services / FreeRADIUS
Tab: EAP
Section: EAP-TLS
Option: Check Client Certificate CN
Actual result when enabled:
A user attempting TLS authentication with a certificate signed by the configured CA, and with a common name matching the user-provided identity, passes authentication even if that common name/identity is not a valid user configured under FreeRADIUS / Users. This option only seems to ensure the common name of the client certificate matches the user-provided identity.
Expected result when enabled:
A user attempting TLS authentication does not pass authentication unless the client certificate's common name is equal to the user-provided identity AND is a configured user under FreeRADIUS / Users, as alluded to by the description.
History
#1
Updated by Viktor Gurov 3 months ago
see http://freeradius.1045715.n5.nabble.com/user-name-and-EAP-TLS-td5714550.html:
> On Sat, Aug 04, 2012 at 11:10:38AM +0200, Klaus Klein wrote: >> Therefore I'm a bit puzzled that if no matching entry in users >> is found that the authentication still takes place. > authorize { files if (notfound || noop) { reject } }
#3
Updated by Renato Botelho 3 months ago
- Status changed from New to Feedback
- Assignee set to Viktor Gurov
PR has been merged. Thanks!
#4
Updated by Viktor Gurov 2 months ago
more fixes:
- Fixes SQL backend user existing check;
- Fixes counters issue (`$varsqlconfauthcounters` lines)
https://forum.netgate.com/topic/160323/freeradius-latest-package-upgrade/2:
(6) exec: Executing: /bin/sh /usr/local/etc/raddb/scripts/datacounter_auth.sh raduser1 daily: (6) exec: ERROR: Program returned code (99) and output '' (6) exec: ERROR: Program returned invalid code (greater than max rcode) (99 > 9)
https://gitlab.netgate.com/pfSense/FreeBSD-ports/-/merge_requests/38
#5
Updated by Jim Pingle 2 months ago
- Status changed from Feedback to Pull Request Review
#6
Updated by Renato Botelho 2 months ago
- Status changed from Pull Request Review to Feedback
PR has been merged. Thanks!