On 25 Nov 2015, at 09:36, Scott Armitage <S.P.Armitage@lboro.ac.uk> wrote:
On 25 Nov 2015, at 09:22, Simon Larsson <simlar@live.se> wrote:
Hi there!
I’m having a problem where I don’t fully understand exactly how EAP-TLS works in regards to authorization.
I'm trying to implement a 802.1x wireless network which uses EAP-TLS for security reasons. I already have a Windows server with a Certificate Authority, so that's not really an issue. All I have to do there is to create the certificates and then insert them into both the FreeRADIUS server and all the clients.
Here’s my problem. As I understand it, EAP-TLS uses the certificates for authentication and therefor my users credentials become less important (not needed to log in to the network). Now, if my users never enter their credentials and the FreeRADIUS server never checks with Active Directory for authorization, what decides what network resources a specific user should have access to?
My goal here is to have it so that when a user connects to the network, the user should automatically get access that users network resources.
Lots of different ways to do this. But, off the top of my head…
use some xlat ldap queries in the post-auth section using the CN from the certificate.
if it just simple stuff, like X department get VLAN 123. Just embed information into the certificate e.g. using a SAN, then some unlang in the post-auth e.g: if (&EAP-Type == 13) { if ( "%{TLS-Client-Cert-Subject}" =~ /OU\=Marketing/ ) { update session-state { Tunnel-Private-Group-Id := “123" } } }