Checking TLS-Cert-* and and accept/reject based on them

Axel Thimm Axel.Thimm at
Thu Aug 29 17:35:33 CEST 2013

On Thu, Aug 29, 2013 at 02:48:59PM +0100, Phil Mayers wrote:
> On 29/08/13 14:25, Axel Thimm wrote:
> >On Thu, Aug 29, 2013 at 02:12:35PM +0100, Phil Mayers wrote:
> >>Otherwise, you could look at the "verify { }" stanza of the "tls {
> >>}" block in eap.conf; this allows you to run an external script once
> >>you've got the client cert, and there you can write any code you
> >>want to access the various issuer/subject fields.
> >
> >Thanks, I'm already using it for other purposes. But do I have the
> >request data at hand to check for the requested SSID?
> It's run using the standard exec helper, so it has access to all the
> stuff that a normal exec module has; specifically there should be
> environment variables matching each request attribute, mangled into
> upper-case + underscores.
> e.g.
> Calling-Station-Id
> ...should appear as:
> Suggest you try it and see.

Thank you, that looks very promising!

> >
> >Or is there a way to set variables in this script to check later in
> >the authorize section's modules (with an exec script)?
> No. The output of the verify script is thrown away, so in that
> respect it's not like a normal exec. It's a binary yes/no.
> Obviously you could work around this; you could set a request
> variable to a unique value e.g. timestamp+random, have your verify{}
> script use that as the basis of a filename to dump the info to, then
> read it with *another* exec module lower down.

That is very nasty! I love it! :)

I'll try to go with the verify for now.

> Or you could abandon the prejudice against upgrading because "it's
> supported" (support you're not taking advantage of, I might add,
> since you're asking here) and upgrade to 2.2.0 which, IIRC, has
> those patches in.

For systems I know I will be the long term support I can talk to the
customer and he will agree to have me patch up specific binaries, but
in this case I'm just setting this up.
Axel.Thimm at

More information about the Freeradius-Users mailing list