Retrieving Client TLS attributes for invalid/rejected requests

Alan DeKok aland at
Mon Sep 13 23:05:38 CEST 2021

On Sep 13, 2021, at 4:34 PM, Jason Healy <jhealy at> wrote:
> We're using EAP TLS and I've had no trouble pulling the TLS attributes (TLS-Client-Common-Name, etc) out of the request during normal processing.
> However, I'm getting several certs as revoked/expired and I'd like to get into it a little more.  I could attach to debug, but I'd like to also log these failed certificates so I can chase down the users and run some reports.
> However, when I try to log the TLS-* attributes in Post-Auth-Type REJECT, they're empty.  I'm guessing that the EAP module cleans them up on failure?  I even tried to use failover to catch the invalid response as quickly as possible:
> eap {
>    invalid = 1
> }
> if (invalid) {
>    sa_linelog_bad_cert
>    invalid
> }

  When the EAP module decides that the TLS session is invalid, it tears down the entire TLS session.  Including the attributes which are associated with that session.  These attributes are associated with the session state list only if authentication succeeds.

> But again all the TLS-* attributes come up blank in the linelog.  I can see them in the eap_tls section, but they're gone by the time I get to linelog:
> ...
> So, any way to retrieve invalid cert data for logging?

  Not right now.  :(  The certs are cached only when authentication succeeds.

  I'll see if I can add a flag which also caches them on authentication failure.

  Alan DeKok.

More information about the Freeradius-Users mailing list