Hi,
From my understanding (don't hesitate to correct me), the authorization step being done before the authentication step (for the purpose of selecting the allowed authentication method), it does not seem possible to use attributes from the X.509 Certificate provided by the client for the purpose of authorization (it comes too late).
I expected I would be able to extract the information from the client Cert during authentication and make it available for Post-Auth in order to decide what to do in a more precise manner (change attribute, reject, ...). The main idea is to be able to put users from unknown subtrees of my PKI in some guest VLANs by pushing specific attribute to the NAS (a switch or AP). Known users would be put in a specific VLAN associated with their profile. Other users would be rejected. After looking at the source code, I decided to define some specific vendor attributes that I would expect to have only a local meaning (not seen on the cable but infered from the TLS exchange) but I basically failed to see how to do the following *properly*: - where to store the information grabbed in the SSL callback, - how to make that information usable in a transparent fashion for Post-Auth modules like rlm_files, ... - how to force a reject and not only change attributes, ... Thanks for your time. Don't hesitate if you have questions. Cheers, a+