Troubleshooting EAP-TLS with External Certificates

Matthew Newton mcn4 at
Thu Sep 15 11:50:53 CEST 2016

On Wed, Sep 14, 2016 at 04:01:46PM -0700, Matthew West wrote:
> /etc/raddb/sites-available/check-eap-tls appears to be the correct
> virtual server to do the check.


> The information I am looking to check against is in the value-pair:
> TLS-Client-Cert-Subject.  When checking the debug, I found the
> information I'm looking for at chain-depth=0 in the chain (the first
> two certs are the primary CA and intermediate CA).  Will check-eap-tls
> use the information at chain-depth=0?

It's been a long time since I wrote that, but from memory I can't
think of any reason why it wouldn't. The whole point of it is to
check the client's cert, not the root/intermediates.



to see what attributes you can check.

> I would like to check the subject only for the inclusion of our
> domain,, but am new to string manipulation using unlang.
> I would like the function to work as following, but don't have the
> syntax correct.

It's all in the unlang man page. Use a regex.

>    if ("%{TLS-Client-Cert-Subject}" == (* + "") {

something more like

  if (&TLS-Client-Cert-Subject =~ /[@\.]$/) {

>                update config {

use "update control". "config" is obsolete.

>                        Auth-Type := Accept
>                }
>        }
>        else {
>                update config {
>                        Auth-Type := Reject
>                }
>                update reply {
>                        Reply-Message := "Your certificate is not valid."
>                }

This won't ever get seen by the client, so probably isn't worth

>        }

I would do it the other way around.

  update control {
    Auth-Type := Reject

  if (&TLS-Client-Cert-Subject =~ /[@\.]$/) {
    update control {
      Auth-Type := Accept


Matthew Newton, Ph.D. <mcn4 at>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at>

More information about the Freeradius-Users mailing list