References to TLS-Client-Cert-Common-Name

Çağlar Karahan karahancaglar94 at gmail.com
Tue Apr 18 04:59:30 UTC 2023


As the screenshots of information about client certificate implies that
client has its common name and also issuer's (CA) common name. And debug
output shows that we get both attribute values with
TLS-Client-Cert-Common-Name which are *cacert *and *clientcert*.

While I want to use the TLS-Client-Cert-Common-Name attribute in the
authorize section which is also shown in debug output. In the authorize
section, the attribute returns issuer's common name instead of client's.

Screenshots of information about client certificate:
[image: image.png][image: image.png]


Debug output:


*Fri Apr  7 09:03:13 2023 : Debug: (5)   TLS-Client-Cert-Common-Name :=
"cacert"*  <huge whitespace delete>

*Fri Apr  7 09:03:13 2023 : Debug: (5)   TLS-Client-Cert-Common-Name :=
"clientcert"*










*Fri Apr  7 09:03:13 2023 : Debug: (5)   # Executing section authorize from
file /opt/freeradius/etc/raddb/sites-enabled/inner-tunnelFri Apr  7
09:03:13 2023 : Debug: (5)     authorize {Fri Apr  7 09:03:13 2023 : Debug:
(5)       if ("%{sql:select assignmentvalue from radeaptlsvlan where
(instr('%{TLS-Client-Cert-Common-Name}', assignmentvalue) > 0") {Fri Apr  7
09:03:13 2023 : Debug: %{User-Name}Fri Apr  7 09:03:13 2023 : Debug: Parsed
xlat tree:Fri Apr  7 09:03:13 2023 : Debug: attribute --> User-NameFri Apr
 7 09:03:13 2023 : Debug: (5)       EXPAND %{User-Name}Fri Apr  7 09:03:13
2023 : Debug: (5)          --> caglarFri Apr  7 09:03:13 2023 : Debug: (5)
      SQL-User-Name set to 'caglar'Fri Apr  7 09:03:13 2023 : Debug:
rlm_sql (sql): Reserved connection (0)Fri Apr  7 09:03:13 2023 : Debug: (5)
      Executing select query: select assignmentvalue from radeaptlsvlan
where (instr('cacert', assignmentvalue) > 0)*
Thanks,


Alan DeKok <aland at deployingradius.com>, 17 Nis 2023 Pzt, 16:01 tarihinde
şunu yazdı:

> On Apr 17, 2023, at 1:05 AM, Çağlar Karahan <karahancaglar94 at gmail.com>
> wrote:
> > I am using the TLS-Client-Cert-Common-Name attribute to get client
> > certificate common name value and use it in the authorize section. While
> it
> > does read the issue attributes from CA that comes with it, it ignores the
> > client attribute. How can I get the value of a client certificate?
>
>   If it doesn't show up in the debug output, then it's not in the
> certificate.
>
>   Have you tried using the OpenSSL tools to look at the certificate?
> What's the common name there?
>
> > *Here is the debug output:*
>
>   <huge whitespace delete>
>
> > *Fri Apr  7 09:03:13 2023 : Debug: (5)   EAP-Type = TLSFri Apr  7
> 09:03:13
> > 2023 : Debug: (5)   TLS-Client-Cert-Serial := "33ffb07c337ec3bc"Fri Apr
> 7
> > 09:03:13 2023 : Debug: (5)   TLS-Client-Cert-Expiration :=
> > "231109075300Z"Fri Apr  7 09:03:13 2023 : Debug: (5)
>
>   That isn't helpful.
>
>   Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 12206 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20230418/84490197/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 12215 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20230418/84490197/attachment-0003.png>


More information about the Freeradius-Users mailing list