How to log "TLS name" instead of username

Fajar A. Nugraha list at fajar.net
Mon Jul 4 13:00:46 CEST 2011


On Mon, Jul 4, 2011 at 5:53 PM, Johannes Koepcke <impic at impic.org> wrote:
> Hey,
>
> I'm running a freeradius2 server with mysql. Some users are authenticating via mschapv2 and some through eap-tls.
> My problem is that for eap-tls, the actual username field doesn't matter, user's could specify anything as the username, as long as their certificates are valid. So I would like to log the name of the certificate owner instead of the radius username to my radpostauth table. How would I do that? Or do you recommend another way to accomplish what I'm trying to do?

Pasted from http://wiki.freeradius.org/Sites-configuration:

      #  If there is a client certificate (EAP-TLS, sometimes PEAP
      #  and TTLS), then some attributes are filled out after the
      #  certificate verification has been performed.  These fields
      #  MAY be available during the authentication, or they may be
      #  available only in the "post-auth" section.
      #
      #  The first set of attributes contains information about the
      #  issuing certificate which is being used.  The second
      #  contains information about the client certificate (if
      #  available).
#
#     update reply {
#            Reply-Message += "%{TLS-Cert-Serial}"
#            Reply-Message += "%{TLS-Cert-Expiration}"
#            Reply-Message += "%{TLS-Cert-Subject}"
#            Reply-Message += "%{TLS-Cert-Issuer}"
#            Reply-Message += "%{TLS-Cert-Common-Name}"
#
#            Reply-Message += "%{TLS-Client-Cert-Serial}"
#            Reply-Message += "%{TLS-Client-Cert-Expiration}"
#            Reply-Message += "%{TLS-Client-Cert-Subject}"
#            Reply-Message += "%{TLS-Client-Cert-Issuer}"
#            Reply-Message += "%{TLS-Client-Cert-Common-Name}"
#     }


I'm guessing what you're looking for is in %{TLS-Client-Cert-Common-Name}

-- 
Fajar




More information about the Freeradius-Users mailing list