On 29/08/13 14:25, Axel Thimm wrote:
On Thu, Aug 29, 2013 at 02:12:35PM +0100, Phil Mayers wrote:Otherwise, you could look at the "verify { }" stanza of the "tls { }" block in eap.conf; this allows you to run an external script once you've got the client cert, and there you can write any code you want to access the various issuer/subject fields.Thanks, I'm already using it for other purposes. But do I have the request data at hand to check for the requested SSID?
It's run using the standard exec helper, so it has access to all the stuff that a normal exec module has; specifically there should be environment variables matching each request attribute, mangled into upper-case + underscores.
e.g. Calling-Station-Id ...should appear as: CALLING_STATION_ID Suggest you try it and see.
Or is there a way to set variables in this script to check later in the authorize section's modules (with an exec script)?
No. The output of the verify script is thrown away, so in that respect it's not like a normal exec. It's a binary yes/no.
Obviously you could work around this; you could set a request variable to a unique value e.g. timestamp+random, have your verify{} script use that as the basis of a filename to dump the info to, then read it with *another* exec module lower down.
Or you could abandon the prejudice against upgrading because "it's supported" (support you're not taking advantage of, I might add, since you're asking here) and upgrade to 2.2.0 which, IIRC, has those patches in.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
