FreeRADIUS EAP-TLS Lookup Client Cert From LDAP DIT

Phil Mayers p.mayers at
Sat Oct 15 11:41:21 CEST 2011

On 10/14/2011 10:43 PM, subcon wrote:
> I've searched for this sort of posting, but found issues unrelated that
> responded to my search string, so I decided to post it here.
> OK, currently I have Radius authenticating LDAP users via PAP.  Works great.
> Imagine I want to store x509 certificate data (specifically a client
> certificate) in an attribute in LDAP (perhaps as a binary attribute, etc).
> I would like FreeRADIUS, should it be passed a client certificate INSTEAD of
> a user/pass, to take the DN of the cert and match it to some attribute which
> contains said DN and cert-data.

Ok. It's been a while since I looked at this, but IIRC there is some 
special search/attribute syntax support in (some) LDAP servers for X.509 
certs in the DIT.

> The ultimate goal of all of this is to allow the continued use of LDAP and
> store the certificates (to be compared against) in the tree and not on some
> filesystem basis.
> Note that I want FreeRADIUS to continue supporting PAP user/pass auth, but
> only as a secondary fall-back (e.g: customer doesn't have client cert
> installed on machine, but has a user and password).
> Is this possible? Does this make sense to you? Let me know if I need to
> re-explain anything.

I think it should be possible.

First, ensure you're running the most recent version of FreeRADIUS. When 
you've done that, you will have two options:

  1. You can examing the "TLS-Client-Cert-Subject" variable in a 
FreeRADIUS unlang policy, and possibly use this to query your LDAP 
server via LDAP xlat. For example:

  authorize {
     if (TLS-Client-Cert-Subject) {
       # we've done enough EAP-TLS to know the client cert
       update request {
         Tmp-String-0 := 
       if (Tmp-String-0) {
         # cert was found in LDAP
       else {

However, I'm not certain the TLS-* attributes (see 
sites-available/default in a recent version of the server) are available 
in the authorize section - I have a feeling they are only present in 
post-auth, by which time it's too late to reject them, so...

  2. Use the "verify" config of the "tls" module under "eap", and use an 
external script to perform the check against LDAP. For example:

   eap {
     tls {
       verify {
         client = "/path/to/script %{TLS-Client-Cert-Filename}"

...then your script can use the (temporary) file given in the 1st 
argument to query against LDAP.

Hope this helps.


> Thank you,
> subcon
> --
> View this message in context:
> Sent from the FreeRadius - User mailing list archive at
> -
> List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list