On Apr 22, 2025, at 11:59 AM, jhbulk75 <jhbulk75@gmail.com> wrote:
We use the rest module to call our backend server during post-auth for additional processing. When the request is locally terminated EAP-TLS, the request attribute list contains all of the TLS certificate attributes. We have a feature request that requires access to one of these TLS client cert attributes in post-auth (TLS-Client-Cert-Subject-Alt-Name-Uri).
When the request is proxied this information is not available in post-auth. Does this mean it's not possible to see this data in a proxy configuration? Or does FreeRADIUS just not provide it because the eap module was not called.
The information is buried inside of TLS, and isn't accessible to FreeRADIUS.
In other words, in lieu of FR not providing this for us, could EAP-Message be parsed to manually extract this data? Or is the information simply not there? We're trying to determine if this is still a viable option in a proxy environment.
You can't get at the data. In TLS 1.2 and earlier, the client cert *might* be visible in the EAP-TLS packets. But getting at it would involve: * decoding the EAP-Message to find the EAP-TLS data * decoding EAP-TLS to find the TLS data * decoding the TLS data to find the certificate * decoding the DER data to get the SubjectAltName. This cannot be done using the normal FreeRADIUS OpenSSL code. So no, it's not possible. Alan DeKok.