Rejecting EAP-TLS based on cert Subject field

Matt Garretson mattg at
Thu Jan 27 21:46:42 CET 2011

On 1/27/2011 3:41 PM, Matt Garretson wrote:
> The XP client still tries three times (duh), but at least radius.log reflects 
> a failure:
>   Error:     TLS_accept: error in SSLv3 read client certificate B
>   Error: rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
>   Error: SSL: SSL_read failed in a system call (-1), TLS session fails.
>   Auth: Login incorrect (TLS Alert write:fatal:certificate unknown): [snip]

*sigh*  I left out the first (and most useful) logging line in the above:

  Auth: rlm_eap_tls: Certificate CN (eviluser) fails external verification!

So, again, it's better than what I'd had before, but not as elegant as I 
was hoping.

More information about the Freeradius-Users mailing list