Rejecting EAP-TLS based on cert Subject field

Phil Mayers p.mayers at
Thu Jan 27 21:03:53 CET 2011

On 01/27/2011 06:04 PM, Matt Garretson wrote:
> For years, we've been doing simple EAP-TLS with various versions of
> FreeRADIUS.  Now, a new requirement has come down to me such that radius
> will have to reject certain valid client certs based on a string in the
> Subject field of the client cert.
> I've met this need (using 2.1.11 from git) with a simple bit of unlang
> in post-auth{}:
>   if ( "%{TLS-Client-Cert-Subject}" =~ /OU=Evil/ ) {
>     reject
>   }

Just put this in the "authorize" section? If it's early in the EAP 
conversation, TLS-Client-* won't be set so won't match, meaning this 
will succeed as soon as yo uget that far.

> It works, but there are two non-ideal things about the way it works:
>   1) Windows XP doesn't seem to notice the rejection and keeps retrying
> for a minute or two, ultimately failing to show any failure/error
> message to the user.
>   2) The rejection is not logged in radiusd.log; rather, three "Auth:
> Login OK" lines are logged (the repetition is due to XP's retries)
> Is there any way I can address these two issues?  I did try putting the
> above unlang into eap.conf's tls{} section (where check_cert_issuer and
> check_cert_cn would be), in hopes that the rejection would occur during
> the auth rather than after it, but the code doesn't seem to have any
> effect there.

Correct. Unlang is only processed in authorize-like steps, not arbitrary 
bits of the config.

More information about the Freeradius-Users mailing list