Authentication issues

Alan DeKok aland at
Tue Jun 28 12:01:17 UTC 2022

On Jun 27, 2022, at 9:51 AM, David le Roux <david.leroux at> wrote:
> That's because when I put the unlang script above I get the following error in journalctl -xe

  All of the documentation says to test with "radiusd -X" (or freeradius-X).  Because that gives much more information than some random log file.

> /etc/freeradius/3.0/sites-enabled/mh-site[27]: Unknown attribute 'Cert-CN'

  Yes, you can't just invent things and have them work.  The server uses pre-defined dictionaries of named attributes.

  Happily, you can also define new attributes.  Edit /etc/freeradius/3.0/dictionary, and add:

ATTRIBUTE Cert-CN 3000 string

  and it will be define, and it will work.

> I was under the impression that the previous error:
>>> tls: Certificate CN ( does not match specified value (host/!
>>> (8) eap_tls: >>> send TLS 1.2  [length 0002]
>>> (8) eap_tls: ERROR: TLS Alert write:fatal:internal error
>>> tls: TLS_accept: Error in error
> Required modifying the username to match the certificate?

  No.  The error came because you modified the User-Name, and the modified version didn't match the certificate.

>> Instead, add a Cert-CN, and then modify the "eap" module to check for Cert-CN, and then User-Name:
>>      check_cert_cn = %{%{Cert-CN}:-%{User-Name}}
> I've added that, but the error message before adding that and after are the same.

  Define the Cert-CN attribute as described above.  And add a Cert-Cn in the "update" section, instead of over-writing User-Name.  It will work.

  Alan DeKok.

More information about the Freeradius-Users mailing list