/etc/freeradius/3.0/sites-enabled/mh-site[27]: Unknown attribute 'Cert-CN'
Yes, you can't just invent things and have them work. The server uses pre-defined dictionaries of named attributes.
Happily, you can also define new attributes. Edit /etc/freeradius/3.0/dictionary, and add:
ATTRIBUTE Cert-CN 3000 string
and it will be define, and it will work.
Define the Cert-CN attribute as described above. And add a Cert-Cn in the "update" section, instead of over-writing User-Name. It will work.
Thanks, that makes sense. I've done that. That may have done the trick. However it still won't authenticate but I wonder if I've now got a different certificate issue on hand? (4) Received Access-Request Id 232 from 10.225.80.1:43414 to 10.10.251.2:1812 length 192 (4) User-Name = "host/mh300649.millerextra.com" (4) NAS-IP-Address = 127.0.0.1 (4) Called-Station-Id = "E0-CB-BC-27-80-60:" (4) NAS-Port-Type = Ethernet (4) Service-Type = Framed-User (4) NAS-Port = 4 (4) Calling-Station-Id = "50-9A-4C-47-69-92" (4) Acct-Session-Id = "D3EE5FFA3658128F" (4) Framed-MTU = 1400 (4) EAP-Message = 0x020f002201686f73742f6d683330303634392e6d696c6c657265787472612e636f6d (4) Message-Authenticator = 0x471a458667926672258467a14bb75939 (4) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/mh-site (4) authorize { (4) policy filter_username { (4) if (&User-Name) { (4) if (&User-Name) -> TRUE (4) if (&User-Name) { (4) if (&User-Name =~ / /) { (4) if (&User-Name =~ / /) -> FALSE (4) if (&User-Name =~ /@[^@]*@/ ) { (4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (4) if (&User-Name =~ /\.\./ ) { (4) if (&User-Name =~ /\.\./ ) -> FALSE (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (4) if (&User-Name =~ /\.$/) { (4) if (&User-Name =~ /\.$/) -> FALSE (4) if (&User-Name =~ /@\./) { (4) if (&User-Name =~ /@\./) -> FALSE (4) } # if (&User-Name) = notfound (4) } # policy filter_username = notfound (4) [preprocess] = ok (4) [chap] = noop (4) eap: Peer sent EAP Response (code 2) ID 15 length 34 (4) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (4) [eap] = ok (4) } # authorize = ok (4) Found Auth-Type = eap (4) Auth-Type sub-section not found. Ignoring. (4) Failed to authenticate the user (4) Using Post-Auth-Type Reject (4) Post-Auth-Type sub-section not found. Ignoring. (4) Login incorrect: [host/mh300649.millerextra.com] (from client MWAN-10.225.80.1 port 4 cli 50-9A-4C-47-69-92) (4) Delaying response for 1.000000 seconds (4) Sending delayed response (4) Sent Access-Reject Id 232 from 10.10.251.2:1812 to 10.225.80.1:43414 length 20 Thanks a lot. ________________________________ Miller Homes Limited Registered in Scotland - SC255429 2 Lochside View, Edinburgh Park, Edinburgh, EH12 9DH Disclaimer: The Information in this e-mail is confidential and for use by the addressee(s) only. It may also be privileged. If you are not the intended recipient please notify us immediately on +44 (0) 870 336 5000 and delete the message from your computer: you may not copy or forward it, or use or disclose its contents to any other person. We do not accept any liability or responsibility for: (1) changes made to this email after it was sent, or (2) viruses transmitted through this email or any attachment. Miller Homes Limited <https://www.millerhomes.co.uk>