Retrieving Client TLS attributes for invalid/rejected requests

Matthew Newton mcn at freeradius.org
Tue Sep 14 00:16:36 CEST 2021



On 13/09/2021 22:05, Alan DeKok wrote:
> On Sep 13, 2021, at 4:34 PM, Jason Healy <jhealy at logn.net> wrote:
>> But again all the TLS-* attributes come up blank in the linelog.  I can see them in the eap_tls section, but they're gone by the time I get to linelog:
>> ...
>> So, any way to retrieve invalid cert data for logging?
> 
>    Not right now.  :(  The certs are cached only when authentication succeeds.

I suspect that the attributes are also available in the check-eap-tls 
virtual server and could be copied out from there, but would need to 
check to be certain. It's possible that isn't called if validation fails 
beforehand.

-- 
Matthew


More information about the Freeradius-Users mailing list