Alan K and Alan B, Grateful for your help. You are indeed correct, I was using the 'authorize' section for the rules, since that is where the 'files' directive (that refers to mods-config/files/authorize) is placed in the out-of-the-box sample configuration. I am still confused though, since I want to look in different LDAP locations depending on if the client is a human (PEAP) or a machine (TLS). Doesn't ldap need to run in the 'authorize' section? Here is the pseudo-code of what I am trying to accomplish: if (EAP-Type == TLS) { # Client is a machine, override username given with what is on the cert and get attributes from LDAP Username = ClientCert-CN get-ldap-machine-attributes case LDAP-Group { Group-1: VLAN=100, Group-2: VLAN=200, Default: Reject } if (EAP-Type == PEAP) # Client is a human, authenticate against LDAP with provided username/password ldap-authenticate-person get-ldap-person-attributes case LDAP-Group { Group-1: VLAN=500, Group-2: VLAN=600, Default: Reject } Again, very grateful for your insight and assistance. On 7/12/17 7:58 AM, Alan DeKok wrote:
On Jul 11, 2017, at 5:48 PM, John Meyers <john+freeradius@themeyers.us> wrote:
I have what I think is a very common use case. I'd like to support "dual stack" EAP-TLS and EAP-PEAP, the concept being that if a corporate device has a valid certificate and authenticates EPA-TLS it gets validated against one set of rules ultimately culminating with assignment in one or more VLANs, vs a BYOD device authenticated with EAP-PEAP that will go through a different authentication/authorization stack ending up in a different set of possible VLANs. You may need to be more specific than that. The point is that EAP is a protocol with certain pre-defined behaviours, which are out of your control. So you have to fit your rules into the way that EAP behaves, not the other way around.
We have the EAP-PEAP case working flawlessly on freeradius-3.0.4-6.el7. The problem is that when I enable the 'virtual_server' option for EAP-TLS, it still hits the default authentication/authorization stack resulting in searching the wrong LDAP (machines and people are separate) before it runs for the virtual server defined. And where are those rules? How do they work?
By the time it hits the virtual server, Which virtual server?
the request has already been denied as the LDAP object does not exist in the area it is looking for. I would also like, if EAP-TLS is used, to ignore whatever username the client passes and instead use the client's CN from its certificate with regard to ldap authorization. Read the debug output to see when the server knows that EAP-TLS is being used.
If anyone has any advise on how to configure a completely divergent configuration that depends on whether or not the client is use TLS or PEAP, I would appreciate it. Odds are that you're putting all of the rules into the "authorize" section. This is wrong. That runs before the server knows what EAP type is being used.
You should put the PEAP rules into the "inner-tunnel" virtual server. That way they'll (usually) only run when PEAP is being used.
Then, put the VLAN assignment rules into the "post-auth" section:
if (control:EAP-Type == PEAP) { ... PEAP rules ... } elsif (control:EAP-Type == TLS) { .. TLS rules ... }
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html