Previous page Section 3.10.38. EAPTLS_CertificateVerifyFailedHook Section 3.10.39. EAPTLS_CommonNameHook (198 / 1718)   Table of Contents Section 3.10.40. EAPTLS_TraceState Next page

3.10.39. EAPTLS_CommonNameHook Previous topic Parent topic Child topic Next topic

This optional parameter specifies a Perl hook that is used to choose the authenticated CN from the client certificate during EAP-TLS authentication. Normally, EAP-TLS attempts to match each CN in the client certificate (after EAPTLSRewriteCertificateCommonName is executed) against the User-Name (with and without any trailing @domain) and the EAP identity (with and without any trailing @domain). If a match is found, that is the authenticated CN, and it is the name that is be used to look up the user name in the user database.
If EAPTLS_CommonNameHook is defined, it returns the user name that matches with the CN.
It is called for each CN in the client certificate with the following arguments:
  • $_[0]: the CN
  • $_[1]: the User-Name from the incoming request
  • $_[2]: the EAP Identity of the TLS handshake
  • $_[3]: $p, reference to the current request
It is expected to return the matched CN or undef if no match is found. When undef is returned, the name checks continue similarly as when the hook is not configured at all.
Previous page Section 3.10.38. EAPTLS_CertificateVerifyFailedHook Section 3.10.39. EAPTLS_CommonNameHook (198 / 1718)   Table of Contents Section 3.10.40. EAPTLS_TraceState Next page