FreeRADIUS: Check certificate EKUs

Add EKU check

Previously, we defined special Extended Key Usage (EKU) in caHostCert certificate profile called EAP-over-LAN (OID 1.3.6.1.5.5.7.3.14).

I will check if client certificate authenticating with EAP has this EKU in certificate:

In file /etc/freeradius/3.0/sites-available/wifi, I extend eap_wifi with Auth-Type eap_wifi block authenticate section:

# /etc/freeradius/3.0/sites-available/wifi

#...
  authenticate {
    
    Auth-Type eap_wifi {
      eap_wifi {
        fail = return
        invalid = return
        reject = return
      }
      
      if (&request:TLS-Client-Cert-X509v3-Extended-Key-Usage-OID[*] != "1.3.6.1.5.5.7.3.14") {
        update request {
          &Module-Failure-Message += 'Rejected: No EAPoL EKU'
        }
        reject
      }
    }
  }
#...