authorization policy based on cert issuer

Phil Mayers p.mayers at
Fri Nov 25 16:49:34 CET 2011

On 25/11/11 13:59, Edgar Fuß wrote:
> Seems that I'm slowly getting it.
>> To authorize subscriber you should make a decision based on both
>> subscriber profile and authentication result. This is what
>> post-auth section does. Put your authorization policies in this
>> section.
> So do I understand this correctly: if I, for example, want to put a
> client into a VLAN according to the EAP-TLS certificate issuer, the
> recommended way to to that is to use unlang to check
> %Client-Cert-Issuer in the post-auth section and use the "update
> reply" command to set the Tunnel-Private-Group-Id reply attribute? -

Yes, exactly so.

More information about the Freeradius-Users mailing list