3.8.36. EAPTLS_CommonNameHook Previous topic Parent topic Child topic Next topic

This optional parameter specifies a Perl hook that is used to choose the authenticated CN from the client certificate during EAP-TLS authentication. Normally, EAP-TLS attempts to match each CN in the client certificate (after EAPTLSRewriteCertificateCommonName is executed) against the User-Name (with and without any trailing @domain) and the EAP identity (with and without any trailing @domain). If a match is found, that is the authenticated CN, and it is the name that is be used to look up the user name in the user database.
If EAPTLS_CommonNameHook is defined, it returns the user name that matches with the CN.
It is called for each CN in the client certificate with the following arguments:
  • $_[0]: the CN
  • $_[1]: the User-Name from the incoming request
  • $_[2]: the EAP Identity of the TLS handshake
It is expected to return the matched CN or undef if no match is found.