Hi Alan,
for other checks , unlang parsing with TLS-Client-Cert-CN can verify if the CN matches something that you've handed out - your realm, for example, shouldnt be present int he CN from commercial CAs as noone else owns it/has authority (unless something interesting is going on in your company.....) likewise, OCSP can also be used to verify if the cert is valid/current
Ok, thanks, I understand. I added OCSP checking with ocsp { enable = yes override_cert_url = no url = "http://ocsp.startssl.com/sub/class1/client/ca" } but it didn't work, exited with the error " Error: OCSP response has wrong nonce value " . The site https://blog.pki.dfn.de/tag/freeradius/ helped me make it work with the hint to add "use_nonce = no". I send this mail for future (Google'rs) reference. Cheers