[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: FW: isakmpd AND NOT policy

To: "'Angelos D. Keromytis'" <angelos@cs.columbia.edu>
Subject: RE: FW: isakmpd AND NOT policy
From: Pepijn Vissers <vissers@fox-it.com>
Date: Thu, 4 Oct 2001 14:38:05 +0200
Cc: "'tech@openbsd.org'" <tech@openbsd.org>

> >Has anyone got an idea? Soooooooooooo close...
> 
> You can try _AUTHORIZERS, e.g.:
> 
> _AUTHORIZERS ~= "^DN:/...." || _AUTHORIZERS ~= ".*,DN:/...."

Trying that now.
 
> I don't see how this is going to help you though; you're assuming that
> the user will present both X509 certificates (the one from 
> the CA and the one from the "deny") ?

No, I just want to exclude blacklisted authorizers based on their DN.
For instance, I see this in isakmpd-output

142342.263902 Plcy 40 check_policy: adding authorizer [DN:/L=Den
Haag/C=NL/OU=Roaming User 001<snip>

Normally, because this user has a CA-signed PGPkey, he would be able to
connect, because
all CA-signed certificates are authorized by "POLICY". I now want to exclude
users that 
still have their CA-signed key, but should no longer be allowed to connect,
by matching
their DN to a 'blacklist'. Of course, if there is another way to make that
exclusion, 
i would be glad to hear about it :)

Regards,
P. Vissers

> -Angelos

Follow-Ups:
- Re: FW: isakmpd AND NOT policy
  - From: "Angelos D. Keromytis" <angelos@cs.columbia.edu>

Prev by Date: IP_MAX_MEMBERSHIPS and limits ?
Next by Date: Re: pf and statesfull filtering on a bridge
Prev by thread: Re: FW: isakmpd AND NOT policy
Next by thread: Re: FW: isakmpd AND NOT policy
Index(es):
- Date
- Thread