On 1/27/2011 1:24 PM, Matt Garretson wrote: > Thanks. That's actually my goal. But unlang isn't allowed in > authenticate{}, and my attempts to sneak it into the authentication > phase via the tls{} section in eap.conf didn't seem to work. > Any other ways to do it?
Replying to myself here.... I got a bit closer to my goal by putting this in the verify{} subsection of tls{} : tmpdir = /tmp/radiusd client = "/usr/local/bin/checkcert %{TLS-Client-Cert-Filename}" Where /usr/local/bin/checkcert contains: #!/bin/sh if /usr/bin/openssl x509 -in "$1" -noout -text | \ /bin/grep -q " Subject:.* OU=Evil," ; then RC=1 else RC=0 fi exit $RC The XP client still tries three times (duh), but at least radius.log reflects a failure: Error: TLS_accept: error in SSLv3 read client certificate B Error: rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned Error: SSL: SSL_read failed in a system call (-1), TLS session fails. Auth: Login incorrect (TLS Alert write:fatal:certificate unknown): [snip] Still, it would be nice if I could use unlang (or something) to match against %{TLS-Client-Cert-Subject} during the authenticate stage somehow. Is there a way that I'm missing? Thanks, -Matt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html