Retrieving Client TLS attributes for invalid/rejected requests

Matthew Newton mcn at
Tue Sep 14 00:16:36 CEST 2021

On 13/09/2021 22:05, Alan DeKok wrote:
> On Sep 13, 2021, at 4:34 PM, Jason Healy <jhealy at> wrote:
>> But again all the TLS-* attributes come up blank in the linelog.  I can see them in the eap_tls section, but they're gone by the time I get to linelog:
>> ...
>> So, any way to retrieve invalid cert data for logging?
>    Not right now.  :(  The certs are cached only when authentication succeeds.

I suspect that the attributes are also available in the check-eap-tls 
virtual server and could be copied out from there, but would need to 
check to be certain. It's possible that isn't called if validation fails 


More information about the Freeradius-Users mailing list