Checking TLS-Cert-* and and accept/reject based on them

Axel Thimm Axel.Thimm at
Thu Aug 29 14:21:25 CEST 2013

Dear all,

1-2 years ago this topic was discussed and there was a patch by
Matthew Newton that was approved for the master branch.

I'm now facing the difficulty of accepting/rejecting requests based on
the contents of the TLS-Client-Cert for 2.1.12 which does not contain
this patch. This is done in an exec module script in the authorize
section which needs to decide on the request information and the
certificate data whether to allow or disallow access.

Other than applying this patch to 2.1.12 or switching to master, is
there any other way to use the binaries of 2.1.12 and still be able to
use the client cerficate date in the exec script?

The reason I'm not simply applying the patch is that this system is
covered by support by Red Hat and replacing the vendor shipped
freeradius (2.1.12) with a self-compiled one voids the support. So any
other solution that would allow me to keep the system under support
and still be able to check the certs Subject/CN would be great!

Some more details for anyone interested: The RADIUS client is an AP
and the devices are Wifi clients like Android, iPads, laptops etc with
Client certificates. Some devices should be allowed to access some
SSIDs and others are not. freeradius gets the certificate and needs to
extract the embedded username (which is just the device's serial
number and displayed in the logs as BUF-name) for checking whether
this device is allowed to connect to this SSID. The decision is made
in an exec module in the authorize section, but I cannot pass any
certificate information to it for checking.

Thanks, Axel.
Axel.Thimm at

More information about the Freeradius-Users mailing list