Hi, I am using the TLS-Client-Cert-Common-Name attribute to get client certificate common name value and use it in the authorize section. While it does read the issue attributes from CA that comes with it, it ignores the client attribute. How can I get the value of a client certificate? *Here is the debug output:* *Fri Apr 7 09:03:13 2023 : Debug: (5) EAP-Type = TLSFri Apr 7 09:03:13 2023 : Debug: (5) TLS-Client-Cert-Serial := "33ffb07c337ec3bc"Fri Apr 7 09:03:13 2023 : Debug: (5) TLS-Client-Cert-Expiration := "231109075300Z"Fri Apr 7 09:03:13 2023 : Debug: (5) TLS-Client-Cert-Valid-Since := "221109075300Z"Fri Apr 7 09:03:13 2023 : Debug: (5) TLS-Client-Cert-Subject := "/CN=cacert"Fri Apr 7 09:03:13 2023 : Debug: (5) TLS-Client-Cert-Issuer := "/CN=cacert"Fri Apr 7 09:03:13 2023 : Debug: (5) TLS-Client-Cert-Common-Name := "cacert"Fri Apr 7 09:03:13 2023 : Debug: (5) TLS-Client-Cert-X509v3-Basic-Constraints += "CA:TRUE"Fri Apr 7 09:03:13 2023 : Debug: (5) TLS-Client-Cert-X509v3-Subject-Key-Identifier += "FA:CF:53:D7:B0:54:5A:DA:12:A0:51:D4:C1:2B:10:C3:2F:C2:17:6E"Fri Apr 7 09:03:13 2023 : Debug: (5) TLS-Client-Cert-X509v3-Authority-Key-Identifier += "keyid:FA:CF:53:D7:B0:54:5A:DA:12:A0:51:D4:C1:2B:10:C3:2F:C2:17:6E\n"Fri Apr 7 09:03:13 2023 : Debug: (5) TLS-Client-Cert-Serial := "55deef44a81709aa"Fri Apr 7 09:03:13 2023 : Debug: (5) TLS-Client-Cert-Expiration := "231109075300Z"Fri Apr 7 09:03:13 2023 : Debug: (5) TLS-Client-Cert-Valid-Since := "221109075600Z"Fri Apr 7 09:03:13 2023 : Debug: (5) TLS-Client-Cert-Subject := "/CN=clientcert/emailAddress=client@example.com/serialNumber=ababab0123456 <http://client@example.com/serialNumber=ababab0123456>"Fri Apr 7 09:03:13 2023 : Debug: (5) TLS-Client-Cert-Issuer := "/CN=cacert"Fri Apr 7 09:03:13 2023 : Debug: (5) TLS-Client-Cert-Common-Name := "clientcert"Fri Apr 7 09:03:13 2023 : Debug: (5) TLS-Client-Cert-Subject-Alt-Name-Email := "clientcert@example.com <clientcert@example.com>"Fri Apr 7 09:03:13 2023 : Debug: (5) TLS-Client-Cert-Subject-Alt-Name-Dns := "clientcert.copy.com.example.com <http://clientcert.copy.com.example.com>"Fri Apr 7 09:03:13 2023 : Debug: (5) TLS-Client-Cert-X509v3-Basic-Constraints += "CA:FALSE"Fri Apr 7 09:03:13 2023 : Debug: (5) TLS-Client-Cert-X509v3-Subject-Key-Identifier += "AA:57:43:AC:9D:32:95:F8:DB:E5:4B:7A:8E:0F:D3:5C:52:42:14:EC"Fri Apr 7 09:03:13 2023 : Debug: (5) TLS-Client-Cert-X509v3-Authority-Key-Identifier += "keyid:FA:CF:53:D7:B0:54:5A:DA:12:A0:51:D4:C1:2B:10:C3:2F:C2:17:6E\n"Fri Apr 7 09:03:13 2023 : WARNING: (5) Outer and inner identities are the same. User privacy is compromised.Fri Apr 7 09:03:13 2023 : Debug: (5) server eap-tls-check {Fri Apr 7 09:03:13 2023 : Debug: (5) session-state: No cached attributesFri Apr 7 09:03:13 2023 : Debug: (5) # Executing section authorize from file /opt/freeradius/etc/raddb/sites-enabled/inner-tunnelFri Apr 7 09:03:13 2023 : Debug: (5) authorize {Fri Apr 7 09:03:13 2023 : Debug: (5) if ("%{sql:select assignmentvalue from radeaptlsvlan where (instr('%{TLS-Client-Cert-Common-Name}', assignmentvalue) > 0") {Fri Apr 7 09:03:13 2023 : Debug: rlm_sql (sql): Reserved connection (6)Fri Apr 7 09:03:13 2023 : Debug: rlm_sql (sql): Released connection (6)Fri Apr 7 09:03:13 2023 : Debug: rlm_sql (sql): Reserved connection (2)Fri Apr 7 09:03:13 2023 : Debug: rlm_sql (sql): Released connection (2)Fri Apr 7 09:03:13 2023 : Debug: rlm_sql (sql): Reserved connection (3)Fri Apr 7 09:03:13 2023 : Debug: rlm_sql (sql): Released connection (3)Fri Apr 7 09:03:13 2023 : Debug: rlm_sql (sql): Reserved connection (4)Fri Apr 7 09:03:13 2023 : Debug: rlm_sql (sql): Released connection (4)Fri Apr 7 09:03:13 2023 : Debug: %{User-Name}Fri Apr 7 09:03:13 2023 : Debug: Parsed xlat tree:Fri Apr 7 09:03:13 2023 : Debug: attribute --> User-NameFri Apr 7 09:03:13 2023 : Debug: (5) EXPAND %{User-Name}Fri Apr 7 09:03:13 2023 : Debug: (5) --> caglarFri Apr 7 09:03:13 2023 : Debug: (5) SQL-User-Name set to 'caglar'Fri Apr 7 09:03:13 2023 : Debug: rlm_sql (sql): Reserved connection (0)Fri Apr 7 09:03:13 2023 : Debug: (5) Executing select query: select assignmentvalue from radeaptlsvlan where (instr('cacert', assignmentvalue) > 0)* Regards, Caglar