The server saves the TLS certificate data in the session-state list. So do:
if (&session-state.TLS-Client-Cert-X509v3-Extended-Key-Usage-OID == ...
That should work.
It seems that this doesn't work for me. In the session-state is only TLS-Session-Information, TLS-Session-Cipher-Suite, TLS-Session-Version. But it seems I can work directly with TLS-Client-Cert-Issuer and TLS-Client-Cert-Subject-Alt-Name-Dns, but not with TLS-Client-Cert-X509v3-Extended-Key-Usage-OID. Is there a way to get TLS-Client-Cert-X509v3-Extended-Key-Usage-OID - in the session-state (see below ' (11) policy debug_session_state {') Or - like TLS-Client-Cert-Issuer to use it directly (see below '(11) if (TLS-Client-Cert-Issuer == "/DC=org/DC=example/CN=XY Sub CA") -> TRUE')? LOG: freeradius | (10) Received Access-Request Id 135 from 10.1.100.55:55713 to 10.0.118.207:1812 length 873 freeradius | (10) User-Name = "host/host1.XY.example.org" freeradius | (10) NAS-IP-Address = 10.1.100.55 freeradius | (10) NAS-Identifier = "6ad79a35b543" freeradius | (10) Called-Station-Id = "6A-D7-9A-35-B5-43:XY" freeradius | (10) NAS-Port-Type = Wireless-802.11 freeradius | (10) Service-Type = Framed-User freeradius | (10) Calling-Station-Id = "14-5A-FC-11-0C-55" freeradius | (10) Connect-Info = "CONNECT 0Mbps 802.11a" freeradius | (10) Acct-Session-Id = "131C98E526D732C9" freeradius | (10) Acct-Multi-Session-Id = "21DF24B695731162" freeradius | (10) WLAN-Pairwise-Cipher = 1027076 freeradius | (10) WLAN-Group-Cipher = 1027076 freeradius | (10) WLAN-AKM-Suite = 1027073 freeradius | (10) Framed-MTU = 1400 freeradius | (10) EAP-Message = 0x02f802650d008913236f1da4d0f24ae5fd76c1363e401da385917ea16dcc91b4c99e1d5fcc0ba0eb9490989acb360187643386d3bac082a8771891a9f52811bf19fa628a0ee25568a822d36324c2f27890f954ff86b657b1fc5a10319d101ab15f68f7c9911e5f2252d382360caae495439a174933a31f8e65d475d4adb7835b573f6165226fe068ccb63ccd61eaf0a74b4f3095e7294ad742444ead3c73812138f5b41438e1b47b27efb3af9de677fd78053a0a6c499327f01839fbb9e7df5a669ed1e01a86594eeb72e8dba40b4d76f6c84f4a26872039872ef2dccbbf54aa42956776100000424104b95329b6826c47555335c7092e25dfaac53b91f4220ab8fe98539c708d11dfb2f693f58df950c3d233519e8a338ebcb1aab80363b766b2bbd8bfdf01e8e12b000f0001040804010019d12737c08a55927012807b024877904354ad2eeb688f37268da26fb12d0404751cb47faad165aa1973425fe386f7f963e8d30b224f568e0eb79dc2f37fdff301124cea5c freeradius | (10) State = 0x67e882426e108fb8e89303b497b5b384 freeradius | (10) Message-Authenticator = 0x5807b7f924014bf2437feee3473554e1 freeradius | (10) Restoring &session-state freeradius | (10) &session-state:Framed-MTU = 1014 freeradius | (10) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" freeradius | (10) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" freeradius | (10) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" freeradius | (10) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" freeradius | (10) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest" freeradius | (10) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" freeradius | (10) # Executing section authorize from file /etc/raddb/sites-enabled/site freeradius | (10) authorize { freeradius | (10) policy filter_username { freeradius | (10) if (&User-Name) { freeradius | (10) if (&User-Name) -> TRUE freeradius | (10) if (&User-Name) { freeradius | (10) if (&User-Name =~ / /) { freeradius | (10) if (&User-Name =~ / /) -> FALSE freeradius | (10) if (&User-Name =~ /@[^@]*@/ ) { freeradius | (10) if (&User-Name =~ /@[^@]*@/ ) -> FALSE freeradius | (10) if (&User-Name =~ /\.\./ ) { freeradius | (10) if (&User-Name =~ /\.\./ ) -> FALSE freeradius | (10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { freeradius | (10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE freeradius | (10) if (&User-Name =~ /\.$/) { freeradius | (10) if (&User-Name =~ /\.$/) -> FALSE freeradius | (10) if (&User-Name =~ /@\./) { freeradius | (10) if (&User-Name =~ /@\./) -> FALSE freeradius | (10) } # if (&User-Name) = notfound freeradius | (10) } # policy filter_username = notfound freeradius | (10) [preprocess] = ok freeradius | (10) eap: Peer sent EAP Response (code 2) ID 248 length 613 freeradius | (10) eap: No EAP Start, assuming it's an on-going EAP conversation freeradius | (10) [eap] = updated freeradius | (10) [expiration] = noop freeradius | (10) [logintime] = noop freeradius | (10) } # authorize = updated freeradius | (10) Found Auth-Type = eap freeradius | (10) # Executing group from file /etc/raddb/sites-enabled/site freeradius | (10) authenticate { freeradius | (10) eap: Expiring EAP session with state 0x67e882426e108fb8 freeradius | (10) eap: Finished EAP session with state 0x67e882426e108fb8 freeradius | (10) eap: Previous EAP request found for state 0x67e882426e108fb8, released from the list freeradius | (10) eap: Peer sent packet with method EAP TLS (13) freeradius | (10) eap: Calling submodule eap_tls to process data freeradius | (10) eap_tls: (TLS) EAP Got final fragment (607 bytes) freeradius | (10) eap_tls: (TLS) EAP Done initial handshake freeradius | (10) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write server done freeradius | (10) eap_tls: (TLS) recv TLS 1.2 Handshake, Certificate freeradius | (10) eap_tls: (TLS) Creating attributes from TLS-Client-Cert-Serial certificate freeradius | (10) eap_tls: (TLS) Creating attributes from server certificate freeradius | (10) eap_tls: TLS-Cert-Serial := "1400000002219c173715ec84d9000000000002" freeradius | (10) eap_tls: TLS-Cert-Expiration := "20511007092213Z" freeradius | (10) eap_tls: TLS-Cert-Valid-Since := "211007115340Z" freeradius | (10) eap_tls: TLS-Cert-Subject := "/DC=org/DC=example/CN=XY Sub CA" freeradius | (10) eap_tls: TLS-Cert-Issuer := "/C=xxx/ST=xxx/L=xxx/O=xxx/CN=XY Root CA" freeradius | (10) eap_tls: TLS-Cert-Common-Name := "XY Sub CA" freeradius | (10) eap_tls: (TLS) Creating attributes from client certificate freeradius | (10) eap_tls: TLS-Client-Cert-Serial := "16000028666eef874492e150cd000000002866" freeradius | (10) eap_tls: TLS-Client-Cert-Expiration := "240209105026Z" freeradius | (10) eap_tls: TLS-Client-Cert-Valid-Since := "230209105026Z" freeradius | (10) eap_tls: TLS-Client-Cert-Issuer := "/DC=org/DC=example/CN=XY Sub CA" freeradius | (10) eap_tls: TLS-Client-Cert-Subject-Alt-Name-Dns := "host1.XY.example.org" freeradius | (10) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web Client Authentication, 1.3.6.1.4.1.311.21.8.16510850.12376249.15288979.13711710.10124257.18.15210945.7" freeradius | (10) eap_tls: TLS-Client-Cert-X509v3-Subject-Key-Identifier += "29:AC:A7:3F:AD:4D:C1:29:E6:1D:0B:42:B5:69:2B:0C:B2:1E:EB:16" freeradius | (10) eap_tls: TLS-Client-Cert-X509v3-Authority-Key-Identifier += "keyid:C0:24:69:05:3E:2C:E0:26:AD:85:D9:9E:9D:16:B2:E8:4C:62:81:EC\n" freeradius | (10) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "1.3.6.1.5.5.7.3.2" freeradius | (10) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "1.3.6.1.4.1.311.21.8.16510850.12376249.15288979.13711710.10124257.18.15210945.7878633" freeradius | Certificate chain - 1 cert(s) untrusted freeradius | (TLS) untrusted certificate with depth [1] subject name /DC=org/DC=example/CN=XY Sub CA freeradius | (TLS) untrusted certificate with depth [0] subject name freeradius | (10) eap_tls: Verifying client certificate: /usr/bin/openssl verify -crl_check -CAfile /etc/raddb/certs/ca.crt %{TLS-Client-Cert-Filename} freeradius | (10) eap_tls: Executing: /usr/bin/openssl verify -crl_check -CAfile /etc/raddb/certs/ca.crt %{TLS-Client-Cert-Filename}: freeradius | (10) eap_tls: EXPAND %{TLS-Client-Cert-Filename} freeradius | (10) eap_tls: --> /tmp/radiusd/radiusd.client.XXXCiG1h freeradius | (10) eap_tls: Program returned code (0) and output '/tmp/radiusd/radiusd.client.XXXCiG1h: OK' freeradius | (10) eap_tls: Client certificate CN xy Sub CA passed external validation freeradius | (10) eap_tls: (TLS) Handshake state - Server SSLv3/TLS read client certificate freeradius | (10) eap_tls: (TLS) recv TLS 1.2 Handshake, ClientKeyExchange freeradius | (10) eap_tls: (TLS) Handshake state - Server SSLv3/TLS read client key exchange freeradius | (10) eap_tls: (TLS) recv TLS 1.2 Handshake, CertificateVerify freeradius | (10) eap_tls: (TLS) Handshake state - Server SSLv3/TLS read certificate verify freeradius | (10) eap_tls: (TLS) Handshake state - Server SSLv3/TLS read change cipher spec freeradius | (10) eap_tls: (TLS) recv TLS 1.2 Handshake, Finished freeradius | (10) eap_tls: (TLS) Handshake state - Server SSLv3/TLS read finished freeradius | (10) eap_tls: (TLS) send TLS 1.2 ChangeCipherSpec freeradius | (10) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write change cipher spec freeradius | (10) eap_tls: (TLS) send TLS 1.2 Handshake, Finished freeradius | (10) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write finished freeradius | (10) eap_tls: (TLS) Handshake state - SSL negotiation finished successfully freeradius | (10) eap_tls: (TLS) Connection Established freeradius | (10) eap_tls: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" freeradius | (10) eap_tls: TLS-Session-Version = "TLS 1.2" freeradius | (10) eap: Sending EAP Request (code 1) ID 249 length 61 freeradius | (10) eap: EAP session adding &reply:State = 0x67e882426d118fb8 freeradius | (10) [eap] = handled freeradius | (10) } # authenticate = handled freeradius | (10) Using Post-Auth-Type Challenge freeradius | (10) # Executing group from file /etc/raddb/sites-enabled/site freeradius | (10) Challenge { ... } # empty sub-section is ignored freeradius | (10) session-state: Saving cached attributes freeradius | (10) Framed-MTU = 1014 freeradius | (10) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" freeradius | (10) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" freeradius | (10) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" freeradius | (10) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" freeradius | (10) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest" freeradius | (10) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" freeradius | (10) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Certificate" freeradius | (10) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange" freeradius | (10) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, CertificateVerify" freeradius | (10) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished" freeradius | (10) TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec" freeradius | (10) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished" freeradius | (10) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" freeradius | (10) TLS-Session-Version = "TLS 1.2" freeradius | (10) Sent Access-Challenge Id 135 from 10.0.118.207:1812 to 10.1.100.55:55713 length 119 freeradius | (10) EAP-Message = 0x01f9003d0d80000000331403030001011603030028964829c4b1eb2ba97048870d089503fa0d8020f067c7635c0ab47309d02855de782de2d54f0a70f2 freeradius | (10) Message-Authenticator = 0x00000000000000000000000000000000 freeradius | (10) State = 0x67e882426d118fb8e89303b497b5b384 freeradius | (10) Finished request freeradius | Waking up in 4.8 seconds. freeradius | (11) Received Access-Request Id 136 from 10.1.100.55:55713 to 10.0.118.207:1812 length 262 freeradius | (11) User-Name = "host/host1.XY.example.org" freeradius | (11) NAS-IP-Address = 10.1.100.55 freeradius | (11) NAS-Identifier = "6ad79a35b543" freeradius | (11) Called-Station-Id = "6A-D7-9A-35-B5-43:XY" freeradius | (11) NAS-Port-Type = Wireless-802.11 freeradius | (11) Service-Type = Framed-User freeradius | (11) Calling-Station-Id = "14-5A-FC-11-0C-55" freeradius | (11) Connect-Info = "CONNECT 0Mbps 802.11a" freeradius | (11) Acct-Session-Id = "131C98E526D732C9" freeradius | (11) Acct-Multi-Session-Id = "21DF24B695731162" freeradius | (11) WLAN-Pairwise-Cipher = 1027076 freeradius | (11) WLAN-Group-Cipher = 1027076 freeradius | (11) WLAN-AKM-Suite = 1027073 freeradius | (11) Framed-MTU = 1400 freeradius | (11) EAP-Message = 0x02f900060d00 freeradius | (11) State = 0x67e882426d118fb8e89303b497b5b384 freeradius | (11) Message-Authenticator = 0xa02414c00b4d2d854c32acaf0176ac3d freeradius | (11) Restoring &session-state freeradius | (11) &session-state:Framed-MTU = 1014 freeradius | (11) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" freeradius | (11) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" freeradius | (11) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" freeradius | (11) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" freeradius | (11) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest" freeradius | (11) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" freeradius | (11) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Certificate" freeradius | (11) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange" freeradius | (11) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, CertificateVerify" freeradius | (11) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished" freeradius | (11) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec" freeradius | (11) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished" freeradius | (11) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" freeradius | (11) &session-state:TLS-Session-Version = "TLS 1.2" freeradius | (11) # Executing section authorize from file /etc/raddb/sites-enabled/site freeradius | (11) authorize { freeradius | (11) policy filter_username { freeradius | (11) if (&User-Name) { freeradius | (11) if (&User-Name) -> TRUE freeradius | (11) if (&User-Name) { freeradius | (11) if (&User-Name =~ / /) { freeradius | (11) if (&User-Name =~ / /) -> FALSE freeradius | (11) if (&User-Name =~ /@[^@]*@/ ) { freeradius | (11) if (&User-Name =~ /@[^@]*@/ ) -> FALSE freeradius | (11) if (&User-Name =~ /\.\./ ) { freeradius | (11) if (&User-Name =~ /\.\./ ) -> FALSE freeradius | (11) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { freeradius | (11) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE freeradius | (11) if (&User-Name =~ /\.$/) { freeradius | (11) if (&User-Name =~ /\.$/) -> FALSE freeradius | (11) if (&User-Name =~ /@\./) { freeradius | (11) if (&User-Name =~ /@\./) -> FALSE freeradius | (11) } # if (&User-Name) = notfound freeradius | (11) } # policy filter_username = notfound freeradius | (11) [preprocess] = ok freeradius | (11) eap: Peer sent EAP Response (code 2) ID 249 length 6 freeradius | (11) eap: No EAP Start, assuming it's an on-going EAP conversation freeradius | (11) [eap] = updated freeradius | (11) [expiration] = noop freeradius | (11) [logintime] = noop freeradius | (11) } # authorize = updated freeradius | (11) Found Auth-Type = eap freeradius | (11) # Executing group from file /etc/raddb/sites-enabled/site freeradius | (11) authenticate { freeradius | (11) eap: Expiring EAP session with state 0x67e882426d118fb8 freeradius | (11) eap: Finished EAP session with state 0x67e882426d118fb8 freeradius | (11) eap: Previous EAP request found for state 0x67e882426d118fb8, released from the list freeradius | (11) eap: Peer sent packet with method EAP TLS (13) freeradius | (11) eap: Calling submodule eap_tls to process data freeradius | (11) eap_tls: (TLS) Peer ACKed our handshake fragment. handshake is finished freeradius | (11) eap: Sending EAP Success (code 3) ID 249 length 4 freeradius | (11) eap: Freeing handler freeradius | (11) [eap] = ok freeradius | (11) } # authenticate = ok freeradius | (11) # Executing section post-auth from file /etc/raddb/sites-enabled/site freeradius | (11) post-auth { freeradius | (11) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) { freeradius | (11) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) -> FALSE freeradius | (11) update { freeradius | (11) &reply::Framed-MTU += &session-state:Framed-MTU[*] -> 1014 freeradius | (11) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) recv TLS 1.3 Handshake, ClientHello' freeradius | (11) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake, ServerHello' freeradius | (11) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake, Certificate' freeradius | (11) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake, ServerKeyExchange' freeradius | (11) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake, CertificateRequest' freeradius | (11) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake, ServerHelloDone' freeradius | (11) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) recv TLS 1.2 Handshake, Certificate' freeradius | (11) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) recv TLS 1.2 Handshake, ClientKeyExchange' freeradius | (11) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) recv TLS 1.2 Handshake, CertificateVerify' freeradius | (11) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) recv TLS 1.2 Handshake, Finished' freeradius | (11) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 ChangeCipherSpec' freeradius | (11) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake, Finished' freeradius | (11) &reply::TLS-Session-Cipher-Suite += &session-state:TLS-Session-Cipher-Suite[*] -> 'ECDHE-RSA-AES256-GCM-SHA384' freeradius | (11) &reply::TLS-Session-Version += &session-state:TLS-Session-Version[*] -> 'TLS 1.2' freeradius | (11) } # update = noop freeradius | (11) [exec] = noop freeradius | (11) update reply { freeradius | (11) EXPAND %{TLS-Cert-Serial} freeradius | (11) --> 1400000002219c173715ec84d9000000000002 freeradius | (11) Reply-Message += 1400000002219c173715ec84d9000000000002 freeradius | (11) EXPAND %{TLS-Cert-Expiration} freeradius | (11) --> 20511007092213Z freeradius | (11) Reply-Message += 20511007092213Z freeradius | (11) EXPAND %{TLS-Cert-Subject} freeradius | (11) --> /DC=org/DC=example/CN=XY Sub CA freeradius | (11) Reply-Message += /DC=org/DC=example/CN=XY Sub CA freeradius | (11) EXPAND %{TLS-Cert-Issuer} freeradius | (11) --> /C=xxx/ST=xxx/L=xxx/O=xxx/CN=xxx Root CA freeXYius | (11) Reply-Message += /C=xxx/ST=xXYL=xxx/O=xxx/CXYxx Root CA freeradius | (11) EXPAND %{TLS-Cert-CXYon-Name} freeradius | (11) --> xy Sub CA freeradius | (11) Reply-Message += xy Sub CA freeradius | (11) EXPAND %{TLS-Cert-Subject-Alt-Name-Dns} freeradius | (11) --> freeradius | (11) Reply-Message += freeradius | (11) EXPAND %{TLS-Client-Cert-Serial} freeradius | (11) --> 16000028666eef874492e150cd000000002866 freeradius | (11) Reply-Message += 16000028666eef874492e150cd000000002866 freeradius | (11) EXPAND %{TLS-Client-Cert-Expiration} freeradius | (11) --> 240209105026Z freeradius | (11) Reply-Message += 240209105026Z freeradius | (11) EXPAND %{TLS-Client-Cert-Subject} freeradius | (11) --> freeradius | (11) Reply-Message += freeradius | (11) EXPAND %{TLS-Client-Cert-Issuer} freeradius | (11) --> /DC=org/DC=example/CN=XY Sub CA freeradius | (11) Reply-Message += /DC=org/DC=example/CN=XY Sub CA freeradius | (11) EXPAND %{TLS-Client-Cert-Common-Name} freeradius | (11) --> freeradius | (11) Reply-Message += freeradius | (11) EXPAND %{TLS-Client-Cert-Subject-Alt-Name-Dns} freeradius | (11) --> host1.XY.example.org freeradius | (11) Reply-Message += host1.XY.example.org freeradius | (11) } # update reply = noop freeradius | (11) policy remove_reply_message_if_eap { freeradius | (11) if (&reply:EAP-Message && &reply:Reply-Message) { freeradius | (11) if (&reply:EAP-Message && &reply:Reply-Message) -> TRUE freeradius | (11) if (&reply:EAP-Message && &reply:Reply-Message) { freeradius | (11) update reply { freeradius | (11) &Reply-Message !* ANY freeradius | (11) } # update reply = noop freeradius | (11) } # if (&reply:EAP-Message && &reply:Reply-Message) = noop freeradius | (11) ... skipping else: Preceding "if" was taken freeradius | (11) } # policy remove_reply_message_if_eap = noop freeradius | (11) if (EAP-Key-Name && &reply:EAP-Session-Id) { freeradius | (11) if (EAP-Key-Name && &reply:EAP-Session-Id) -> FALSE freeradius | (11) policy debug_session_state { freeradius | (11) if ("%{debug_attr:session-state:}" == '') { freeradius | (11) Attributes matching "session-state:" freeradius | (11) &session-state:Framed-MTU = 1014 freeradius | (11) &session-state:TLS-Session-Information = (TLS) recv TLS 1.3 Handshake, ClientHello freeradius | (11) &session-state:TLS-Session-Information = (TLS) send TLS 1.2 Handshake, ServerHello freeradius | (11) &session-state:TLS-Session-Information = (TLS) send TLS 1.2 Handshake, Certificate freeradius | (11) &session-state:TLS-Session-Information = (TLS) send TLS 1.2 Handshake, ServerKeyExchange freeradius | (11) &session-state:TLS-Session-Information = (TLS) send TLS 1.2 Handshake, CertificateRequest freeradius | (11) &session-state:TLS-Session-Information = (TLS) send TLS 1.2 Handshake, ServerHelloDone freeradius | (11) &session-state:TLS-Session-Information = (TLS) recv TLS 1.2 Handshake, Certificate freeradius | (11) &session-state:TLS-Session-Information = (TLS) recv TLS 1.2 Handshake, ClientKeyExchange freeradius | (11) &session-state:TLS-Session-Information = (TLS) recv TLS 1.2 Handshake, CertificateVerify freeradius | (11) &session-state:TLS-Session-Information = (TLS) recv TLS 1.2 Handshake, Finished freeradius | (11) &session-state:TLS-Session-Information = (TLS) send TLS 1.2 ChangeCipherSpec freeradius | (11) &session-state:TLS-Session-Information = (TLS) send TLS 1.2 Handshake, Finished freeradius | (11) &session-state:TLS-Session-Cipher-Suite = ECDHE-RSA-AES256-GCM-SHA384 freeradius | (11) &session-state:TLS-Session-Version = TLS 1.2 freeradius | (11) EXPAND %{debug_attr:session-state:} freeradius | (11) --> freeradius | (11) if ("%{debug_attr:session-state:}" == '') -> TRUE freeradius | (11) if ("%{debug_attr:session-state:}" == '') { freeradius | (11) [noop] = noop freeradius | (11) } # if ("%{debug_attr:session-state:}" == '') = noop freeradius | (11) } # policy debug_session_state = noop freeradius | (11) if (TLS-Client-Cert-Issuer == "/DC=org/DC=example/CN=XY Sub CA"){ freeradius | (11) if (TLS-Client-Cert-Issuer == "/DC=org/DC=example/CN=XY Sub CA") -> TRUE freeradius | (11) if (TLS-Client-Cert-Issuer == "/DC=org/DC=example/CN=XY Sub CA") { freeradius | (11) if (TLS-Client-Cert-Subject-Alt-Name-Dns =~ /\.xy\.example\.org$/i){ freeradius | (11) if (TLS-Client-Cert-Subject-Alt-Name-Dns =~ /\.xy\.example\.org$/i) -> TRUE freeradius | (11) if (TLS-Client-Cert-Subject-Alt-Name-Dns =~ /\.xy\.example\.org$/i) { freeradius | (11) if (TLS-Client-Cert-X509v3-Extended-Key-Usage-OID == "1.3.6.1.4.1.311.21.8.16510850.12376249.15288979.13711710.10124257.18.15380538.1028721") { freeradius | (11) if (TLS-Client-Cert-X509v3-Extended-Key-Usage-OID == "1.3.6.1.4.1.311.21.8.16510850.12376249.15288979.13711710.10124257.18.15380538.1028721") -> FALSE freeradius | (11) elsif (TLS-Client-Cert-X509v3-Extended-Key-Usage-OID == "1.3.6.1.4.1.311.21.8.16510850.12376249.15288979.13711710.10124257.18.15210945.7878633") { freeradius | (11) elsif (TLS-Client-Cert-X509v3-Extended-Key-Usage-OID == "1.3.6.1.4.1.311.21.8.16510850.12376249.15288979.13711710.10124257.18.15210945.7878633") -> FALSE freeradius | (11) else { freeradius | (11) update reply { freeradius | (11) Reply-Message := "Certificate Extended-Key-Usage with wrong or missing Group." freeradius | (11) Auth-Type := Reject freeradius | (11) } # update reply = noop freeradius | (11) [reject] = reject freeradius | (11) } # else = reject freeradius | (11) } # if (TLS-Client-Cert-Subject-Alt-Name-Dns =~ /\.xy\.example\.org$/i) = reject freeradius | (11) } # if (TLS-Client-Cert-Issuer == "/DC=org/DC=example/CN=XY Sub CA") = reject freeradius | (11) } # post-auth = reject freeradius | (11) Using Post-Auth-Type Reject freeradius | (11) # Executing group from file /etc/raddb/sites-enabled/site freeradius | (11) Post-Auth-Type REJECT { freeradius | (11) attr_filter.access_reject: EXPAND %{User-Name} freeradius | (11) attr_filter.access_reject: --> host/host1.XY.example.org freeradius | (11) attr_filter.access_reject: Matched entry DEFAULT at line 11 freeradius | (11) [attr_filter.access_reject] = updated freeradius | (11) [eap] = noop freeradius | (11) policy remove_reply_message_if_eap { freeradius | (11) if (&reply:EAP-Message && &reply:Reply-Message) { freeradius | (11) if (&reply:EAP-Message && &reply:Reply-Message) -> TRUE freeradius | (11) if (&reply:EAP-Message && &reply:Reply-Message) { freeradius | (11) update reply { freeradius | (11) &Reply-Message !* ANY freeradius | (11) } # update reply = noop freeradius | (11) } # if (&reply:EAP-Message && &reply:Reply-Message) = noop freeradius | (11) ... skipping else: Preceding "if" was taken freeradius | (11) } # policy remove_reply_message_if_eap = noop freeradius | (11) } # Post-Auth-Type REJECT = updated freeradius | (11) Delaying response for 1.000000 seconds freeradius | Waking up in 0.3 seconds. freeradius | Waking up in 0.6 seconds. freeradius | (11) Sending delayed response freeradius | (11) Sent Access-Reject Id 136 from 10.0.118.207:1812 to 10.1.100.55:55713 length 44 freeradius | (11) EAP-Message = 0x03f90004 freeradius | (11) Message-Authenticator = 0x00000000000000000000000000000000