On Thu, Aug 29, 2013 at 02:48:59PM +0100, Phil Mayers wrote: > On 29/08/13 14:25, Axel Thimm wrote: > >On Thu, Aug 29, 2013 at 02:12:35PM +0100, Phil Mayers wrote: > >>Otherwise, you could look at the "verify { }" stanza of the "tls { > >>}" block in eap.conf; this allows you to run an external script once > >>you've got the client cert, and there you can write any code you > >>want to access the various issuer/subject fields. > > > >Thanks, I'm already using it for other purposes. But do I have the > >request data at hand to check for the requested SSID? > > It's run using the standard exec helper, so it has access to all the > stuff that a normal exec module has; specifically there should be > environment variables matching each request attribute, mangled into > upper-case + underscores. > > e.g. > > Calling-Station-Id > > ...should appear as: > > CALLING_STATION_ID > > Suggest you try it and see.
Thank you, that looks very promising! > > > >Or is there a way to set variables in this script to check later in > >the authorize section's modules (with an exec script)? > > No. The output of the verify script is thrown away, so in that > respect it's not like a normal exec. It's a binary yes/no. > > Obviously you could work around this; you could set a request > variable to a unique value e.g. timestamp+random, have your verify{} > script use that as the basis of a filename to dump the info to, then > read it with *another* exec module lower down. That is very nasty! I love it! :) I'll try to go with the verify for now. > Or you could abandon the prejudice against upgrading because "it's > supported" (support you're not taking advantage of, I might add, > since you're asking here) and upgrade to 2.2.0 which, IIRC, has > those patches in. For systems I know I will be the long term support I can talk to the customer and he will agree to have me patch up specific binaries, but in this case I'm just setting this up. -- Axel.Thimm at ATrpms.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html