EAP-TLS and Active Directory

Wed Nov 25 10:50:38 CET 2015

> On 25 Nov 2015, at 09:36, Scott Armitage <S.P.Armitage at lboro.ac.uk> wrote:
> 
>> 
>> On 25 Nov 2015, at 09:22, Simon Larsson <simlar at live.se> wrote:
>> 
>> Hi there!
>> 
>> I’m having a problem where I don’t fully understand exactly how EAP-TLS works in regards to authorization.
>> 
>> I'm trying to implement a 802.1x wireless network which uses EAP-TLS for security reasons. I already have a Windows server with a Certificate Authority, so that's not really an issue. All I have to do there is to create the certificates and then insert them into both the FreeRADIUS server and all the clients.
>> 
>> Here’s my problem. As I understand it, EAP-TLS uses the certificates for authentication and therefor my users credentials become less important (not needed to log in to the network).
>> Now, if my users never enter their credentials and the FreeRADIUS server never checks with Active Directory for authorization, what decides what network resources a specific user should have access to?
>> 
>> My goal here is to have it so that when a user connects to the network, the user should automatically get access that users network resources.
>> 
> 
> 
> Lots of different ways to do this.  But, off the top of my head…
> 
> use some xlat ldap queries in the post-auth section using the CN from the certificate.
> 

if it just simple stuff, like X department get VLAN 123.  Just embed information into the certificate e.g. using a SAN, then some unlang in the post-auth e.g:

	if (&EAP-Type == 13) {

		if ( "%{TLS-Client-Cert-Subject}" =~ /OU\=Marketing/ ) {
				update session-state {
					Tunnel-Private-Group-Id := “123"
					}
			}
	}

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 204 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20151125/d3bced7c/attachment.sig>