EAP-TLS with LDAP user attribute check

[Alan DeKok]

On Jan 7, 2021, at 8:22 PM, stray electron <strayedelectron at gmail.com> wrote:
> How can I check an LDAP group membership (or attribute) in an EAP-TLS setup?

  Check it once, and cache the result.  Or, check it in post-auth.

> I try to set up a Freeradius 3.0 where the client auth is done with EAP-TLS but also checks if the client is in the LDAP (and/or check some user attribute in the LDAP). If the client has a valid certificate but is not in the LDAP then he should be rejected.

  It's simpler to just revoke the certificate.  But whatever.

> Since the auth is already done by EAP-TLS certificates no user bind to the LDAP should be needed, besides I don't have the user password anyway. But I have an LDAP account configured for the Radius server so it can access the user data.
> 
> So far EAP-TLS works fine, I suppose the 10-times repetition of the authorize part is due to the EAP messages exchanged with the client, or am I wrong?

  It's because you made it do the LDAP checks in the "authorize" section, i.e. before the user is authenticated.

> Problem is though, that the LDAP search is done 10-times too for each client request. I think this would lead to a huge load of our LDAP server.
> 
> I tried to put the ldap stanza into other places like post-auth, but then it tries to write to the LDAP, or in authenticate where the user password is required.

  You can do:

post-auth {
	...
	ldap.authorize
	...
}

  And run the "authorize" method of the "ldap" module.

  Alan DeKok.