Hello, I'm new to this list and I'm playing with freeradius for about two weeks. I have noticed that there is no possibility to check the subject and issuer of the client certificate. My idea is to use EAP-TLS authN, but allow only some of certificates issued by concrete CA. Two options which are available in EAP-TLS config are not suitable for me. I don't want to revoke the certs and the RE cannot be also used. That's why I created small patch to the freeradius 1.1.0. I've added new option check_script in config of EAP, where can be defined path to the script or application which is executed after successuf TLS authentication. The script/application will recieve in environ variables request packet with two new value pairs: X509_SUBJECT and X509_ISSUER. The EAP-TLS module decide on the returned value of the script/app if the request will be discarded or allowed. I'm open for every remark and enhancement of this patch. I will be glad if this part of code or something similar could be in some of next release of the freeradius. As I see in the user mailing list, there are other people which asking for similar functionality from the freeradius. I'm runnig patched freeradius in our organization and till now works Patch is attached. Best regards, Michal -- Michal Prochazka // michalp@ics.muni.cz Supercomputing Center Brno Institute of Computer Science Masaryk University Botanicka 68a, 60200 Brno, CZ CESNET z.s.p.o. Zikova 4, 16200 Praha 6, CZ