On Mon, Jul 4, 2011 at 5:53 PM, Johannes Koepcke <im...@impic.org> wrote: > Hey, > > I'm running a freeradius2 server with mysql. Some users are authenticating > via mschapv2 and some through eap-tls. > My problem is that for eap-tls, the actual username field doesn't matter, > user's could specify anything as the username, as long as their certificates > are valid. So I would like to log the name of the certificate owner instead > of the radius username to my radpostauth table. How would I do that? Or do > you recommend another way to accomplish what I'm trying to do?
Pasted from http://wiki.freeradius.org/Sites-configuration: # If there is a client certificate (EAP-TLS, sometimes PEAP # and TTLS), then some attributes are filled out after the # certificate verification has been performed. These fields # MAY be available during the authentication, or they may be # available only in the "post-auth" section. # # The first set of attributes contains information about the # issuing certificate which is being used. The second # contains information about the client certificate (if # available). # # update reply { # Reply-Message += "%{TLS-Cert-Serial}" # Reply-Message += "%{TLS-Cert-Expiration}" # Reply-Message += "%{TLS-Cert-Subject}" # Reply-Message += "%{TLS-Cert-Issuer}" # Reply-Message += "%{TLS-Cert-Common-Name}" # # Reply-Message += "%{TLS-Client-Cert-Serial}" # Reply-Message += "%{TLS-Client-Cert-Expiration}" # Reply-Message += "%{TLS-Client-Cert-Subject}" # Reply-Message += "%{TLS-Client-Cert-Issuer}" # Reply-Message += "%{TLS-Client-Cert-Common-Name}" # } I'm guessing what you're looking for is in %{TLS-Client-Cert-Common-Name} -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html