Hi all, Using FR v3.1.0. I was wondering if there is any way I could read a TLS client certificate field (probably MS specific) called "Certificate Template Information". We have an M$ CA (for now), and one of the strings within this field contains the name of the certificate template, which I want to check, to make sure that people aren't making up their own cert templates and randomly giving wireless access to people in the wrong way (I have good reason). A less satisfactory way of doing this would be by checking the EKUs matched the template I was using, as the other templates I've found don't have quite the same makeup there. I tried all the specific dictionary TLS-* , including the seemingly EKU specific one, and they are largely empty. I also can't base it on OU structure as some certs are based on device names and some on AD users. I would like to do this via the named Template Information field if possible, since this also contains other useful stuff. I presume I can't do what I'm trying to achieve? The obvious thing would be to stop other people issuing certs, but I may as well learn to code C properly and rewrite the module, it would be easier :-) EXPAND %{TLS-Cert-Subject-Alt-Name-Email} (7) --> (7) Reply-Message += "" (7) EXPAND %{TLS-Cert-Subject-Alt-Name-Dns} (7) --> (7) Reply-Message += "" (7) EXPAND %{TLS-Cert-Subject-Alt-Name-Upn} (7) --> (7) Reply-Message += "" (7) EXPAND %{TLS-Client-Cert-Filename} (7) --> (7) Reply-Message += "" (7) EXPAND %{TLS-Client-Cert-Subject-Alt-Name-Email} (7) --> (7) Reply-Message += "" (7) EXPAND %{TLS-Client-Cert-X509v3-Extended-Key-Usage} (7) --> (7) Reply-Message += "" (7) EXPAND %{TLS-Client-Cert-X509v3-Subject-Key-Identifier} (7) --> (7) Reply-Message += "" (7) EXPAND %{TLS-Client-Cert-X509v3-Authority-Key-Identifier} (7) --> (7) Reply-Message += "" (7) EXPAND %{TLS-Client-Cert-X509v3-Basic-Constraints} (7) --> (7) Reply-Message += "" (7) EXPAND %{TLS-Client-Cert-Subject-Alt-Name-Dns} (7) --> (7) Reply-Message += "" Thanks very much Andy.