Rejecting EAP-TLS based on cert Subject field

Matt Garretson mattg at
Thu Jan 27 22:30:05 CET 2011

On 1/27/2011 3:03 PM, Phil Mayers wrote:
>> I've met this need (using 2.1.11 from git) with a simple bit of unlang
>> in post-auth{}:
>>   if ( "%{TLS-Client-Cert-Subject}" =~ /OU=Evil/ ) {
>>     reject
>>   }
> Just put this in the "authorize" section? If it's early in the EAP 
> conversation, TLS-Client-* won't be set so won't match, meaning this 
> will succeed as soon as yo uget that far.

I'm not sure I follow you here.  Are you saying that there is a place in
the authorize section where TLS-Client-* _would_ be accessible to
unlang?  I've tried it in a few places (before eap, after eap, at the
top of the section, at the bottom of the section) and it seemed to have
no effect.  But it's entirely possible that I missed something during
these tests.

> Correct. Unlang is only processed in authorize-like steps, not arbitrary 
> bits of the config.

I can understand that.  But given that the eap module has access to some
client cert fields during authentication (e.g. check_cert_issuer and
check_cert_cn), it would be nice to be able to access these and other
client cert fields with unlang (or something similar) at that stage.
But, admittedly, I'm way over my head here  :-)   so I'll make do with
one of the methods described earlier in this thread.


More information about the Freeradius-Users mailing list