On Aug 29, 2024, at 11:08 AM, Lennart Johansson <Lennart.Johansson@b-iq.se> wrote:
my fist question here, so bare with me The solution is perhaps simple, but I cant seem to figure it out I want to setup vpn authentication for users using Freeradius as Radius backend in vpn server User certificates are created using a Edirectory server that also is CA and ldap server
That should be fine. The general advice is to test each piece individually, and then combine the pieces later. If you try to debug 3-4 things at the same time, it's a lot more difficult.
What do I have to do to configure Freeradius role in this, if I search for solutions online, most is related to AD and MS NPS. My understanding is that EAP-TLS requires that the vpn server pass the certificate request to Freeradius and Freeradius is verifying the certificate and reply with a accept or deny.
No, the VPN server is passing the entire TLS session to FreeRADIUS. See the debug output, there's a *lot* more TLS data being exchanged than just the certificate.
But what is needed for Freeradius to verify the certificate, is it only that the CA certificate to verify that the certificate is issued by that CA or is it possible for Freeradius to pick the subject or SAN like email address and to a lookup in LDAP to get specific group or attribute back and based on that respond with accept or deny?
Normally EAP-TLS just verifies that the client cert is from a known CA, and that's fine. You can also do additional LDAP checks, but I don't see why. If you don't want the client certificate to be used any more, then revoke it. If you want to check that the client certificate has the "right" fields, then just create it with the right fields. Alan DeKok.