Check the subject and issuer in the EAP-TLS

Michal Prochazka michalp at
Fri May 12 10:37:18 CEST 2006


I'm new to this list and I'm playing with freeradius for about two 
weeks. I have noticed that there is no possibility to check the subject 
and issuer of the client certificate. My idea is to use EAP-TLS authN, 
but allow only some of certificates issued by concrete CA. Two options 
which are available in EAP-TLS config are not suitable for me. I don't 
want to revoke the certs and the RE cannot be also used.

That's why I created small patch to the freeradius 1.1.0. I've added new 
option check_script in config of EAP, where can be defined path to the 
script or application which is executed after successuf TLS 
authentication. The script/application will recieve in environ variables 
request packet with two new value pairs: X509_SUBJECT and X509_ISSUER. 
The EAP-TLS module decide on the returned value of the script/app if the 
request will be discarded or allowed.

I'm open for every remark and enhancement of this patch. I will be glad 
if this part of code or something similar could be in some of next 
release of the freeradius. As I see in the user mailing list, there are 
other people which asking for similar functionality from the freeradius.

I'm runnig patched freeradius in our organization and till now works
Patch is attached.

Best regards,


Michal Prochazka // michalp at

Supercomputing Center Brno
Institute of Computer Science
Masaryk University
Botanicka 68a, 60200 Brno, CZ

CESNET z.s.p.o.
Zikova 4, 16200 Praha 6, CZ
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeradius-eap-tls-check-cert-1.1.0.patch
Type: text/x-patch
Size: 9045 bytes
Desc: not available
URL: <>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2920 bytes
Desc: S/MIME Cryptographic Signature
URL: <>

More information about the Freeradius-Devel mailing list