Travis Dimmig wrote:
Is it possible to read fields of the client cert divorced from the act of authenticating with it? Specifically, I have a FreeRADIUS server that proxies the authentication requests to have the actual authentication done by another, but I want to be able to inspect the value of the CommonName from the server doing the proxying.
i.e. decode the EAP protocol, then decode and reconstruct TLS, then pull the cert out of the reconstructed TLS session. That's hard. I welcome a patch, but it would be complicated.
The examples in the post-auth section show exactly the kind of control I want, where the values of cert fields are populated in FreeRADIUS internal attributes, but I need access to them from the server that is otherwise just proxying the requests.
<shrug> Maybe Wireshark would be useful here. It has some TLS reconstruction code.
I thought of having the authentication server add the values back into the reply, but an ideal solution would not require any changes on the authentication server.
That would be simplest. Alan DeKok.