Rejecting EAP-TLS based on cert Subject field

Matt Garretson mattg at
Thu Jan 27 21:41:13 CET 2011

On 1/27/2011 1:24 PM, Matt Garretson wrote:
> Thanks.  That's actually my goal.  But unlang isn't allowed in
> authenticate{}, and my attempts to sneak it into the authentication
> phase via the tls{} section in eap.conf didn't seem to work.
> Any other ways to do it?

Replying to myself here.... I got a bit closer to my goal by putting 
this in the verify{} subsection of tls{} :

  tmpdir = /tmp/radiusd
  client = "/usr/local/bin/checkcert  %{TLS-Client-Cert-Filename}"

Where /usr/local/bin/checkcert contains:

  if /usr/bin/openssl x509 -in "$1" -noout -text | \
           /bin/grep -q " Subject:.* OU=Evil," ; then
  exit $RC

The XP client still tries three times (duh), but at least radius.log reflects 
a failure:

  Error:     TLS_accept: error in SSLv3 read client certificate B
  Error: rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
  Error: SSL: SSL_read failed in a system call (-1), TLS session fails.
  Auth: Login incorrect (TLS Alert write:fatal:certificate unknown): [snip]

Still, it would be nice if I could use unlang (or something) to match against
%{TLS-Client-Cert-Subject} during the authenticate stage somehow.  Is there
a way that I'm missing?


More information about the Freeradius-Users mailing list