Checking TLS-Cert-* and and accept/reject based on them

Alan DeKok aland at
Wed Feb 8 11:47:57 CET 2012

Matthew Newton wrote:
> First is that you can call the detail module, to get a record of
> the certificate details easily in a log. Putting detail in
> post-auth before didn't work as, in post-auth, detail logs the
> response not the request.


> I've now got a detail instance in both the tls virtual-server and
> the post-auth / post-auth reject. This gets me a single log file
> with two (only) entries for each connection request - both the
> request AVPs, the certificate data, and the response.

  That does make it much easier to manage.

> Second is that I can call LDAP from the TLS virtual server and
> check group membership of the connecting device. Without this, you
> have to call LDAP in the inner tunnel (or outer, if you're doing
> plain EAP-TLS), and it gets called each time around the
> challenge-response loop, which hits the LDAP server more than
> necessary. Here, it just gets called once (see [0] for similar
> with PEAP/MS-CHAPv2). It's similar to the eap { ok = return } you
> can do for PEAP, but for EAP-TLS.

  That helps, too.

  My only comment is that the patch is against the v2.1.x branch.  Major
new functionality needs to go into the "master" branch.

  Alan DeKok.

More information about the Freeradius-Devel mailing list