Rejecting EAP-TLS based on cert Subject field

Phil Mayers p.mayers at
Fri Jan 28 12:36:39 CET 2011

On 27/01/11 21:30, Matt Garretson wrote:
> On 1/27/2011 3:03 PM, Phil Mayers wrote:
>>> I've met this need (using 2.1.11 from git) with a simple bit of unlang
>>> in post-auth{}:
>>>    if ( "%{TLS-Client-Cert-Subject}" =~ /OU=Evil/ ) {
>>>      reject
>>>    }
>> Just put this in the "authorize" section? If it's early in the EAP
>> conversation, TLS-Client-* won't be set so won't match, meaning this
>> will succeed as soon as yo uget that far.
> I'm not sure I follow you here.  Are you saying that there is a place in
> the authorize section where TLS-Client-* _would_ be accessible to
> unlang?  I've tried it in a few places (before eap, after eap, at the
> top of the section, at the bottom of the section) and it seemed to have
> no effect.  But it's entirely possible that I missed something during
> these tests.

You're right, I'm wrong.

EAP of course runs all its guts in the "authenticate" section, so 
nothing is available during the "authorize" section.

Sorry for the noise.

More information about the Freeradius-Users mailing list