TLS Client Certificate Attributes with proxy
Alan DeKok
aland at deployingradius.com
Tue Apr 22 17:40:53 UTC 2025
On Apr 22, 2025, at 11:59 AM, jhbulk75 <jhbulk75 at gmail.com> wrote:
> We use the rest module to call our backend server during post-auth for
> additional processing. When the request is locally terminated EAP-TLS, the
> request attribute list contains all of the TLS certificate attributes. We
> have a feature request that requires access to one of these TLS client cert
> attributes in post-auth (TLS-Client-Cert-Subject-Alt-Name-Uri).
>
> When the request is proxied this information is not available in post-auth.
> Does this mean it's not possible to see this data in a proxy configuration?
> Or does FreeRADIUS just not provide it because the eap module was not
> called.
The information is buried inside of TLS, and isn't accessible to FreeRADIUS.
> In other words, in lieu of FR not providing this for us, could EAP-Message
> be parsed to manually extract this data? Or is the information simply not
> there? We're trying to determine if this is still a viable option in a
> proxy environment.
You can't get at the data.
In TLS 1.2 and earlier, the client cert *might* be visible in the EAP-TLS packets. But getting at it would involve:
* decoding the EAP-Message to find the EAP-TLS data
* decoding EAP-TLS to find the TLS data
* decoding the TLS data to find the certificate
* decoding the DER data to get the SubjectAltName.
This cannot be done using the normal FreeRADIUS OpenSSL code.
So no, it's not possible.
Alan DeKok.
More information about the Freeradius-Users
mailing list