Hi, On Mon, Aug 31, 2015 at 04:26:16PM -0700, Jim Shi wrote:
I want to use EAP-TLS to verify client’s certificate and set policy based on the groups that the CN belongs to.
See the check-eap-tls virtual server, and the virtual_server option in mods-available/eap tls section. I've got something like this in check-eap-tls to only allow clients that in particular groups to connect: authorize { ldap update control { Auth-Type := Reject } if (Ldap-Group == "WinLaptop") { update control { Auth-Type := Accept } } if (Ldap-Group == "MacLaptop") { update control { Auth-Type := Accept } } } You need to configure ldap appropriately, for example (using Active Directory here, this ldap config is from FR v2): filter = "(servicePrincipalName=%{User-Name})" base_filter = "(objectClass=computer)" groupname_attribute = cn groupmembership_filter = "(&(objectClass=group)(member=%{control:Ldap-UserDn}))" Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>