Yesterday’s patch for FreeRadius turns out to be superfluous, as the functionality is already present, its just undocumented!
I submitted the patch to the FreeRadius bug tracking system (#392) and got back a quick reply from Alan DeKok saying the following:
It isn’t well documented, but it’s already supported, via the
EAP-TLS-Require-Client-Cert attribute. This allows you to have
the cert requirement on a per-realm, or per-user basis.
Oh well, at least the patch didn’t take too long to write! I had seen the code that handles the EAP-TLS-Require-Client-Cert attribute, but I couldn’t find any references to it elsewhere in the daemon, so I assumed it was a fragment that was unused and ignored it.
Moral of the story: Assume less and spend more time understand the code you’re patching!