Support for check_cert_subjectAltName?

Alan DeKok aland at
Mon Jan 9 13:21:50 CET 2012

Phil Mayers wrote:
> Isn't there a problem with that approach though? Namely, that the TLS-*
> attributes aren't available in the "authorize" section (because the eap
> module, and all the EAP methods, do their with in "authenticate").


> But
> in post-auth, turning an accept into a reject is fraught, and bad practice?

  The certs can be checked in the "authenticate" section, too.

> This comes up occasionally when people want to check the TLS-*
> attributes and act on them (as opposed to logging them).

  The rlm_eap code could be modified to look up the handler in the
authorize section.  If found, the certs could be added to the request.

  It's probably not a lot of code, and could be useful for 3.0.

  Alan DeKok.

More information about the Freeradius-Users mailing list