I'm configuring a freeradius server for authenticating Wifi clients with EAP-TLS. The solution should check certificates with EAP-TLS and everything is working fine, but checking the "extended key usage" to reply with a specific VLAN is not working as expected. So in my site config I have: if (TLS-Client-Cert-Issuer == "/DC=de/DC=xxxxx/CN=XXX Sub CA" && TLS-Client-Cert-Subject-Alt-Name-Dns =~ /\.XY\.xxxxx\.de$/){ if(TLS-Client-Cert-X509v3-Extended-Key-Usage-OID == "1.3.6.1.4.1.311.21.8.16510850.12376249.15288979.13711710.10124257.18.15380538.1") { update reply { &Tunnel-Type = 13, &Tunnel-Medium-Type = 6, &Tunnel-Private-Group-Id = "1" } } if(TLS-Client-Cert-X509v3-Extended-Key-Usage-OID == "1.3.6.1.4.1.311.21.8.16510850.12376249.15288979.13711710.10124257.18.15210945.2") { update reply { &Tunnel-Type = 13, &Tunnel-Medium-Type = 6, &Tunnel-Private-Group-Id = "2" } } } elsif (TLS-Client-Cert-Issuer == "/DC=de/DC=xxxxx/CN=XXX Sub CA" && TLS-Client-Cert-Subject-Alt-Name-Dns =~ /\.XYZ\.xxxxx\.de$/) { if(TLS-Client-Cert-X509v3-Extended-Key-Usage-OID == "1.3.6.1.4.1.311.21.8.16510850.12376249.15288979.13711710.10124257.18.16530950.3") { update reply { &Tunnel-Type = 13, &Tunnel-Medium-Type = 6, &Tunnel-Private-Group-Id = "3" } } } else { update reply { Reply-Message := "Certificate Extended-Key-Usage with wrong or missing Group." Auth-Type := Reject } reject } In the log I see that the Attribute is in the tls-cert: freeradius | (342) eap_tls: TLS-Client-Cert-Subject-Alt-Name-Dns := "user.XY.xxxxx.de" freeradius | (342) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web Client Authentication, 1.3.6.1.4.1.311.21.8.16510850.12376249.15288979.13711710.10124257.18.15210945.7" freeradius | (342) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "1.3.6.1.5.5.7.3.2" freeradius | (342) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "1.3.6.1.4.1.311.21.8.16510850.12376249.15288979.13711710.10124257.18.15210945.2" But when I scroll down, I see that the result of the if-check is false: freeradius | (343) if (TLS-Client-Cert-Issuer == "/DC=de/DC=xxxxx/CN=XXX Sub CA" && TLS-Client-Cert-Subject-Alt-Name-Dns =~ /\.XY\.xxxxx\.de$/){ freeradius | (343) if (TLS-Client-Cert-Issuer == "/DC=de/DC=xxxxx/CN=XXX Sub CA" && TLS-Client-Cert-Subject-Alt-Name-Dns =~ /\.XY\.xxxxx\.de$/) -> TRUE freeradius | (343) if (TLS-Client-Cert-Issuer == "/DC=de/DC=xxxxx/CN=XXX Sub CA" && TLS-Client-Cert-Subject-Alt-Name-Dns =~ /\.XY\.xxxxx\.de$/) { freeradius | (343) if (TLS-Client-Cert-X509v3-Extended-Key-Usage-OID == "1.3.6.1.4.1.311.21.8.16510850.12376249.15288979.13711710.10124257.18.15380538.1") { freeradius | (343) if (TLS-Client-Cert-X509v3-Extended-Key-Usage-OID == "1.3.6.1.4.1.311.21.8.16510850.12376249.15288979.13711710.10124257.18.15380538.1") -> FALSE freeradius | (343) if (TLS-Client-Cert-X509v3-Extended-Key-Usage-OID == "1.3.6.1.4.1.311.21.8.16510850.12376249.15288979.13711710.10124257.18.15210945.2") { freeradius | (343) if (TLS-Client-Cert-X509v3-Extended-Key-Usage-OID == "1.3.6.1.4.1.311.21.8.16510850.12376249.15288979.13711710.10124257.18.15210945.2") -> FALSE ### This should be TRUE ### freeradius | (343) } # if (TLS-Client-Cert-Issuer == "/DC=de/DC=xxxxx/CN=XXX Sub CA" && TLS-Client-Cert-Subject-Alt-Name-Dns =~ /\.XY\.xxxxx\.de$/) = noop TLS-Client-Cert-X509v3-Extended-Key-Usage-OID is a list, do I have to check it in a different way? Thanks in advance. Daniel