Hi, I'm having trouble getting some basic TLS checks working for a Wifi EAP-TLS connection. Centos7, freeradius 3.0.4 Basically I'm messing around with the built-in check-eap-tls virtual server, as a pre-requisite to some more complex matching I want to do, but it's not working as it would seem it should. My client connects using a valid cert, I see TLS "stuff" in the logs like this: (5) Auth-Type eap { (5) eap : Expiring EAP session with state 0x9e6f4ada9ae847d4 (5) eap : Finished EAP session with state 0x9e6f4ada9ae847d4 (5) eap : Previous EAP request found for state 0x9e6f4ada9ae847d4, released from the list (5) eap : Peer sent method TLS (13) (5) eap : EAP TLS (13) (5) eap : Calling eap_tls to process EAP data (5) eap_tls : Authenticate (5) eap_tls : processing EAP-TLS (5) eap_tls : eaptls_verify returned 7 (5) eap_tls : Done initial handshake (5) eap_tls : <<< TLS 1.0 Handshake [length 04c4], Certificate (5) eap_tls : chain-depth=1, (5) eap_tls : error=0 (5) eap_tls : --> User-Name = lpascoe (5) eap_tls : --> BUF-Name = NZHothouse CA (5) eap_tls : --> subject = /C=NZ/ST=AKL/L=Auckland/O=NZHothouse/CN=NZHothouse CA/emailAddress= admin@nzhothouse.co.nz (5) eap_tls : --> issuer = /C=NZ/ST=AKL/L=Auckland/O=NZHothouse/CN=NZHothouse CA/emailAddress= admin@nzhothouse.co.nz (5) eap_tls : --> verify return:1 (5) eap_tls : chain-depth=0, (5) eap_tls : error=0 (5) eap_tls : --> User-Name = lpascoe (5) eap_tls : --> BUF-Name = lpascoe (5) eap_tls : --> subject = /C=NZ/ST=AKL/L=Auckland/O=NZHothouse/CN=lpascoe/emailAddress= admin@nzhothouse.co.nz (5) eap_tls : --> issuer = /C=NZ/ST=AKL/L=Auckland/O=NZHothouse/CN=NZHothouse CA/emailAddress= admin@nzhothouse.co.nz (5) eap_tls : --> verify return:1 (5) eap_tls : TLS_accept: SSLv3 read client certificate A (5) eap_tls : <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange (5) eap_tls : TLS_accept: SSLv3 read client key exchange A (5) eap_tls : <<< TLS 1.0 Handshake [length 0106], CertificateVerify (5) eap_tls : TLS_accept: SSLv3 read certificate verify A (5) eap_tls : <<< TLS 1.0 ChangeCipherSpec [length 0001] (5) eap_tls : <<< TLS 1.0 Handshake [length 0010], Finished (5) eap_tls : TLS_accept: SSLv3 read finished A (5) eap_tls : >>> TLS 1.0 ChangeCipherSpec [length 0001] (5) eap_tls : TLS_accept: SSLv3 write change cipher spec A (5) eap_tls : >>> TLS 1.0 Handshake [length 0010], Finished (5) eap_tls : TLS_accept: SSLv3 write finished A (5) eap_tls : TLS_accept: SSLv3 flush data (5) eap_tls : (other): SSL negotiation finished successfully SSL Connection Established (5) eap_tls : eaptls_process returned 13 So I'm pretty certail that part is working correctly. However when we get to the check-eap-tls part, the variables it expects to match against aren't populated: (6) # Executing section authorize from file /etc/raddb/sites-enabled/check-eap-tls (6) authorize { (6) update config { (6) Auth-Type := Accept (6) } # update config = noop (6) if ("%{TLS-Client-Cert-Common-Name}" == "client.example.com") (6) EXPAND %{TLS-Client-Cert-Common-Name} (6) --> (6) if ("%{TLS-Client-Cert-Common-Name}" == "client.example.com") -> FALSE (6) else else { (6) update config { (6) Auth-Type := Reject (6) } # update config = noop (6) update reply { (6) Reply-Message := 'Your certificate is not valid.' (6) } # update reply = noop (6) } # else else = noop As you can see the expansion for %{TLS-Client-Cert-Common-Name} is an empty string. This is the variable I want to match against in future. Any suggestions around what I need to enable to get these TLS variables populated would be greatly appreciated. Thanks. Luke Pascoe *E* luke@osnz.co.nz * P* +64 (9) 296 2961 * M* +64 (27) 426 6649 * W* www.osnz.co.nz 24 Wellington St Papakura Auckland, 2110 New Zealand