authorization policy based on cert issuer (was: Why Authorization before Authentication)

Edgar Fuß ef at
Fri Nov 25 14:59:44 CET 2011

Seems that I'm slowly getting it.

> To authorize subscriber you should make a decision based on both
> subscriber profile and authentication result. This is what post-auth
> section does. Put your authorization policies in this section.
So do I understand this correctly: if I, for example, want to put a client into a VLAN according to the EAP-TLS certificate issuer, the recommended way to to that is to use unlang to check %Client-Cert-Issuer in the post-auth section and use the "update reply" command to set the Tunnel-Private-Group-Id reply attribute?

More information about the Freeradius-Users mailing list