Checking certificate client policies for RadSec connection

Alan DeKok aland at
Tue Aug 17 15:13:53 CEST 2021

On Aug 17, 2021, at 9:01 AM, Arnaud LAURIOU <arnaud.lauriou at> wrote:
> We are currently checking certificate policy (X509v3 Certificate Policies) of our RadSec clients
> with an external command : 'openssl verify -policy_check ...'
> Can we check these policies directly in FR, without an external command ?


> In debug mode (FR 3.0.23), I can't find these policies in the attributes list created from the
> client certificate.

  You will need to add a dictionary item for them.  Only a few X509 attributes are currently defined:

$ git grep -i x509 share/
share/dictionary.freeradius.internal:ATTRIBUTE  TLS-Client-Cert-X509v3-Extended-Key-Usage 1927  string
share/dictionary.freeradius.internal:ATTRIBUTE  TLS-Client-Cert-X509v3-Subject-Key-Identifier 1928      string
share/dictionary.freeradius.internal:ATTRIBUTE  TLS-Client-Cert-X509v3-Authority-Key-Identifier 1929    string
share/dictionary.freeradius.internal:ATTRIBUTE  TLS-Client-Cert-X509v3-Basic-Constraints 1930   string
share/dictionary.freeradius.internal:ATTRIBUTE  TLS-Client-Cert-X509v3-Extended-Key-Usage-OID 1936      string

  Run the server in debug mode (-Xx) to see messages like:

	Skipping TLS-Client-Cert-X509-Bar += 'foo'.  Please check that both the attribute and value are defined in the dictionaries

  That gives you the name to use.  Then, just add the new attribute to raddb/dictionary

  Alan DeKok.

More information about the Freeradius-Users mailing list