Rejecting EAP-TLS based on cert Subject field

Alan DeKok aland at
Fri Jan 28 09:48:20 CET 2011

Matt Garretson wrote:
> It works, but there are two non-ideal things about the way it works:
>  1) Windows XP doesn't seem to notice the rejection and keeps retrying
> for a minute or two, ultimately failing to show any failure/error
> message to the user.

  You're sending a *radius* reject.  It doesn't include an EAP-Message
with an *EAP* reject.  So you need to create a fake one:

	update reply {
		EAP-Message := 0x04010004

  That can work sometimes...

>  2) The rejection is not logged in radiusd.log; rather, three "Auth:
> Login OK" lines are logged (the repetition is due to XP's retries)

  Put the "unlang" in the "authenticate" section, after "eap":

	Auth-Type eap {
		if (...) {

> Is there any way I can address these two issues?  I did try putting the
> above unlang into eap.conf's tls{} section (where check_cert_issuer and
> check_cert_cn would be), in hopes that the rejection would occur during
> the auth rather than after it, but the code doesn't seem to have any
> effect there.

  Unlang doesn't go in module configuration sections.

  Alan DeKok.

More information about the Freeradius-Users mailing list