Checking TLS-Cert-* and and accept/reject based on them

Thu Aug 29 15:12:35 CEST 2013

On 29/08/13 13:21, Axel Thimm wrote:

> The reason I'm not simply applying the patch is that this system is
> covered by support by Red Hat and replacing the vendor shipped
> freeradius (2.1.12) with a self-compiled one voids the support. So any
> other solution that would allow me to keep the system under support
> and still be able to check the certs Subject/CN would be great!

Ask RedHat? Since it's "supported"...

Otherwise, you could look at the "verify { }" stanza of the "tls { }" 
block in eap.conf; this allows you to run an external script once you've 
got the client cert, and there you can write any code you want to access 
the various issuer/subject fields.