v4: Can't see TLS certificate fields from `send Access-Accept` section anymore

Nick Bogdanov nickrbogdanov at gmail.com
Wed Feb 17 03:22:30 CET 2021


I am using EAP-TLS authentication and trying to read the
%{session-state.TLS-Client-Cert-Subject} attribute in order to set the
reply.Tunnel-Private-Group-Id field.  In v3 I could just add this to
my post-auth section:

        if (TLS-Client-Cert-Subject =~ /\/OU=VLAN 1\//) {
                update reply {
                        &Tunnel-Private-Group-Id = "1"
                }
        }

In v4 I can see the cert fields in the `recv Access-Request` section
(after setting `virtual_server = default` in mods-available/eap) but
they are all empty when I try to read them from the `send
Access-Accept` section.  In fact, if I uncomment these sections from
the default config, the fields are all empty too:

# update reply {
# &Reply-Message += "%{session-state.TLS-Cert-Serial}"
# &Reply-Message += "%{session-state.TLS-Cert-Expiration}"
# &Reply-Message += "%{session-state.TLS-Cert-Subject}"
# &Reply-Message += "%{session-state.TLS-Cert-Issuer}"
# &Reply-Message += "%{session-state.TLS-Cert-Common-Name}"
# &Reply-Message += "%{session-state.TLS-Cert-Subject-Alt-Name-Email}"
#
# &Reply-Message += "%{session-state.TLS-Client-Cert-Serial}"
# &Reply-Message += "%{session-state.TLS-Client-Cert-Expiration}"
# &Reply-Message += "%{session-state.TLS-Client-Cert-Subject}"
# &Reply-Message += "%{session-state.TLS-Client-Cert-Issuer}"
# &Reply-Message += "%{session-state.TLS-Client-Cert-Common-Name}"
# &Reply-Message += "%{session-state.TLS-Client-Cert-Subject-Alt-Name-Email}"
# }

The log says:

(15,8)    update reply {
(15,8)      EXPAND %{session-state.TLS-Cert-Serial}
(15,8)        --> (null)
(15,8)      EXPAND %{session-state.TLS-Cert-Expiration}
(15,8)        --> (null)
(15,8)      EXPAND %{session-state.TLS-Cert-Subject}
(15,8)        --> (null)
(15,8)      EXPAND %{session-state.TLS-Cert-Issuer}
(15,8)        --> (null)
(15,8)      EXPAND %{session-state.TLS-Cert-Common-Name}
(15,8)        --> (null)
(15,8)      EXPAND %{session-state.TLS-Cert-Subject-Alt-Name-Email}
(15,8)        --> (null)
(15,8)      EXPAND %{session-state.TLS-Client-Cert-Serial}
(15,8)        --> (null)
(15,8)      EXPAND %{session-state.TLS-Client-Cert-Expiration}
(15,8)        --> (null)
(15,8)      EXPAND %{session-state.TLS-Client-Cert-Subject}
(15,8)        --> (null)
(15,8)      EXPAND %{session-state.TLS-Client-Cert-Issuer}
(15,8)        --> (null)
(15,8)      EXPAND %{session-state.TLS-Client-Cert-Common-Name}
(15,8)        --> (null)
(15,8)      EXPAND %{session-state.TLS-Client-Cert-Subject-Alt-Name-Email}
(15,8)        --> (null)
(15,8)      &Reply-Message += ""
(15,8)      &Reply-Message += ""
(15,8)      &Reply-Message += ""
(15,8)      &Reply-Message += ""
(15,8)      &Reply-Message += ""
(15,8)      &Reply-Message += ""
(15,8)      &Reply-Message += ""
(15,8)      &Reply-Message += ""
(15,8)      &Reply-Message += ""
(15,8)      &Reply-Message += ""
(15,8)      &Reply-Message += ""
(15,8)      &Reply-Message += ""
(15,8)    } # update reply (noop)


I am running git rev 89b77dc09571cb4ac3cd4d639aee6c17bea23182, built
from source.  I saw something in upgrade.adoc about using the `filter`
directive but it wasn't clear to me what that meant.  Am I missing
something simple or is this a bug?


More information about the Freeradius-Users mailing list