Rejecting EAP-TLS based on cert Subject field

Matt Garretson mattg at
Thu Jan 27 19:04:58 CET 2011

For years, we've been doing simple EAP-TLS with various versions of
FreeRADIUS.  Now, a new requirement has come down to me such that radius
will have to reject certain valid client certs based on a string in the
Subject field of the client cert.

I've met this need (using 2.1.11 from git) with a simple bit of unlang
in post-auth{}:

 if ( "%{TLS-Client-Cert-Subject}" =~ /OU=Evil/ ) {

It works, but there are two non-ideal things about the way it works:

 1) Windows XP doesn't seem to notice the rejection and keeps retrying
for a minute or two, ultimately failing to show any failure/error
message to the user.

 2) The rejection is not logged in radiusd.log; rather, three "Auth:
Login OK" lines are logged (the repetition is due to XP's retries)

Is there any way I can address these two issues?  I did try putting the
above unlang into eap.conf's tls{} section (where check_cert_issuer and
check_cert_cn would be), in hopes that the rejection would occur during
the auth rather than after it, but the code doesn't seem to have any
effect there.

Thanks in advance for any clues...

More information about the Freeradius-Users mailing list