References to TLS-Client-Cert-Common-Name

Çağlar Karahan karahancaglar94 at gmail.com
Mon Apr 17 05:05:40 UTC 2023


Hi,
I am using the TLS-Client-Cert-Common-Name attribute to get client
certificate common name value and use it in the authorize section. While it
does read the issue attributes from CA that comes with it, it ignores the
client attribute. How can I get the value of a client certificate?

*Here is the debug output:*











































*Fri Apr  7 09:03:13 2023 : Debug: (5)   EAP-Type = TLSFri Apr  7 09:03:13
2023 : Debug: (5)   TLS-Client-Cert-Serial := "33ffb07c337ec3bc"Fri Apr  7
09:03:13 2023 : Debug: (5)   TLS-Client-Cert-Expiration :=
"231109075300Z"Fri Apr  7 09:03:13 2023 : Debug: (5)
TLS-Client-Cert-Valid-Since := "221109075300Z"Fri Apr  7 09:03:13 2023 :
Debug: (5)   TLS-Client-Cert-Subject := "/CN=cacert"Fri Apr  7 09:03:13
2023 : Debug: (5)   TLS-Client-Cert-Issuer := "/CN=cacert"Fri Apr  7
09:03:13 2023 : Debug: (5)   TLS-Client-Cert-Common-Name := "cacert"Fri Apr
 7 09:03:13 2023 : Debug: (5)   TLS-Client-Cert-X509v3-Basic-Constraints +=
"CA:TRUE"Fri Apr  7 09:03:13 2023 : Debug: (5)
TLS-Client-Cert-X509v3-Subject-Key-Identifier +=
"FA:CF:53:D7:B0:54:5A:DA:12:A0:51:D4:C1:2B:10:C3:2F:C2:17:6E"Fri Apr  7
09:03:13 2023 : Debug: (5)
TLS-Client-Cert-X509v3-Authority-Key-Identifier +=
"keyid:FA:CF:53:D7:B0:54:5A:DA:12:A0:51:D4:C1:2B:10:C3:2F:C2:17:6E\n"Fri
Apr  7 09:03:13 2023 : Debug: (5)   TLS-Client-Cert-Serial :=
"55deef44a81709aa"Fri Apr  7 09:03:13 2023 : Debug: (5)
TLS-Client-Cert-Expiration := "231109075300Z"Fri Apr  7 09:03:13 2023 :
Debug: (5)   TLS-Client-Cert-Valid-Since := "221109075600Z"Fri Apr  7
09:03:13 2023 : Debug: (5)   TLS-Client-Cert-Subject :=
"/CN=clientcert/emailAddress=client at example.com/serialNumber=ababab0123456
<http://client@example.com/serialNumber=ababab0123456>"Fri Apr  7 09:03:13
2023 : Debug: (5)   TLS-Client-Cert-Issuer := "/CN=cacert"Fri Apr  7
09:03:13 2023 : Debug: (5)   TLS-Client-Cert-Common-Name := "clientcert"Fri
Apr  7 09:03:13 2023 : Debug: (5)   TLS-Client-Cert-Subject-Alt-Name-Email
:= "clientcert at example.com <clientcert at example.com>"Fri Apr  7 09:03:13
2023 : Debug: (5)   TLS-Client-Cert-Subject-Alt-Name-Dns :=
"clientcert.copy.com.example.com
<http://clientcert.copy.com.example.com>"Fri Apr  7 09:03:13 2023 : Debug:
(5)   TLS-Client-Cert-X509v3-Basic-Constraints += "CA:FALSE"Fri Apr  7
09:03:13 2023 : Debug: (5)   TLS-Client-Cert-X509v3-Subject-Key-Identifier
+= "AA:57:43:AC:9D:32:95:F8:DB:E5:4B:7A:8E:0F:D3:5C:52:42:14:EC"Fri Apr  7
09:03:13 2023 : Debug: (5)
TLS-Client-Cert-X509v3-Authority-Key-Identifier +=
"keyid:FA:CF:53:D7:B0:54:5A:DA:12:A0:51:D4:C1:2B:10:C3:2F:C2:17:6E\n"Fri
Apr  7 09:03:13 2023 : WARNING: (5) Outer and inner identities are the
same.  User privacy is compromised.Fri Apr  7 09:03:13 2023 : Debug: (5)
server eap-tls-check {Fri Apr  7 09:03:13 2023 : Debug: (5)
session-state: No cached attributesFri Apr  7 09:03:13 2023 : Debug: (5)
# Executing section authorize from file
/opt/freeradius/etc/raddb/sites-enabled/inner-tunnelFri Apr  7 09:03:13
2023 : Debug: (5)     authorize {Fri Apr  7 09:03:13 2023 : Debug: (5)
  if ("%{sql:select assignmentvalue from radeaptlsvlan where
(instr('%{TLS-Client-Cert-Common-Name}', assignmentvalue) > 0") {Fri Apr  7
09:03:13 2023 : Debug: rlm_sql (sql): Reserved connection (6)Fri Apr  7
09:03:13 2023 : Debug: rlm_sql (sql): Released connection (6)Fri Apr  7
09:03:13 2023 : Debug: rlm_sql (sql): Reserved connection (2)Fri Apr  7
09:03:13 2023 : Debug: rlm_sql (sql): Released connection (2)Fri Apr  7
09:03:13 2023 : Debug: rlm_sql (sql): Reserved connection (3)Fri Apr  7
09:03:13 2023 : Debug: rlm_sql (sql): Released connection (3)Fri Apr  7
09:03:13 2023 : Debug: rlm_sql (sql): Reserved connection (4)Fri Apr  7
09:03:13 2023 : Debug: rlm_sql (sql): Released connection (4)Fri Apr  7
09:03:13 2023 : Debug: %{User-Name}Fri Apr  7 09:03:13 2023 : Debug: Parsed
xlat tree:Fri Apr  7 09:03:13 2023 : Debug: attribute --> User-NameFri Apr
 7 09:03:13 2023 : Debug: (5)       EXPAND %{User-Name}Fri Apr  7 09:03:13
2023 : Debug: (5)          --> caglarFri Apr  7 09:03:13 2023 : Debug: (5)
      SQL-User-Name set to 'caglar'Fri Apr  7 09:03:13 2023 : Debug:
rlm_sql (sql): Reserved connection (0)Fri Apr  7 09:03:13 2023 : Debug: (5)
      Executing select query: select assignmentvalue from radeaptlsvlan
where (instr('cacert', assignmentvalue) > 0)*
Regards,
Caglar


More information about the Freeradius-Users mailing list