EAP-TLS and EAP-PEAP with different authentication/authorization settings

Alan DeKok aland at deployingradius.com
Wed Jul 12 13:58:15 CEST 2017 

On Jul 11, 2017, at 5:48 PM, John Meyers <john+freeradius at themeyers.us> wrote:
> I have what I think is a very common use case.  I'd like to support
> "dual stack" EAP-TLS and EAP-PEAP, the concept being that if a corporate
> device has a valid certificate and authenticates EPA-TLS it gets
> validated against one set of rules ultimately culminating with
> assignment in one or more VLANs, vs a BYOD device authenticated with
> EAP-PEAP that will go through a different authentication/authorization
> stack ending up in a different set of possible VLANs.

  You may need to be more specific than that.  The point is that EAP is a protocol with certain pre-defined behaviours, which are out of your control.  So you have to fit your rules into the way that EAP behaves, not the other way around.

> We have the EAP-PEAP case working flawlessly on freeradius-3.0.4-6.el7. 
> The problem is that when I enable the 'virtual_server' option for
> EAP-TLS, it still hits the default authentication/authorization stack
> resulting in searching the wrong LDAP (machines and people are separate)
> before it runs for the virtual server defined.

  And where are those rules?  How do they work?

>  By the time it hits the virtual server,

  Which virtual server?

> the request has already been denied as the LDAP object
> does not exist in the area it is looking for.  I would also like, if
> EAP-TLS is used, to ignore whatever username the client passes and
> instead use the client's CN from its certificate with regard to ldap
> authorization.

  Read the debug output to see when the server knows that EAP-TLS is being used.

> If anyone has any advise on how to configure a completely divergent
> configuration that depends on whether or not the client is use TLS or
> PEAP, I would appreciate it.

  Odds are that you're putting all of the rules into the "authorize" section.  This is wrong.  That runs before the server knows what EAP type is being used.

  You should put the PEAP rules into the "inner-tunnel" virtual server.  That way they'll (usually) only run when PEAP is being used.

  Then, put the VLAN assignment rules into the "post-auth" section:

	if (control:EAP-Type == PEAP) {
			... PEAP rules ...
	}
	elsif (control:EAP-Type == TLS) {
			.. TLS rules ...
	}

  Alan DeKok.

More information about the Freeradius-Users mailing list