eap/tls questions with freeradius

Phil Mayers p.mayers at imperial.ac.uk
Wed Dec 28 15:16:51 CET 2011

On 12/26/2011 02:44 PM, vazoumana fofana wrote:
> sorry, i ve got persistents problems :
> - i filter client certificate under authenticate section (under eap)
> with : Auth-Type eap {
> if ( "%{TLS-Client-Cert-Subject}" =~ /OU=xxxxx/ ) {
> reject
> }
> }.
> Firstly, it s' written on "default" file :
> /Please do not put "unlang" configurations into the "authenticate"
> # section. Put them in the "post-auth" section instead. That's what
> # the post-auth section is for./
> But, according to me , it's not right because i don't want to enter into
> post-auth. It must be rejected before.

This is not easy at the moment I'm afraid.

Basically, the problem is that the "authorize" part of the "eap" module 
doesn't do much. All the work is done inside the "authenticate" section.

This means that TLS-* attributes may not be present in "authorize".

You are correct that performing a "reject" in "post-auth" is not the 
right thing to do.

It might be an idea in future to add an "inner-tunnel" feature for 
EAP-TLS which sends a plain PAP packet with the TLS-* attributes, which 
allows this kind of checking.

You need to use the "verify { }" option under the "tls { }" config to 
run an external script. Like so:

eap {
   tls {
     verify {
       client = "/path/to/my/script ..."

This is documented with examples in eap.conf

But really, you're doing it wrong.

If you don't want a particular cert to authenticate, revoke it and use 

Why do you think you want to check the cert subject?

More information about the Freeradius-Users mailing list