Authorize with EAP-TLS, but use LDAP for authentication to check user's group membership
I am quite a freeradius noob, so in advance, my apologies if this question of mine doesn't make too much sense. I have a mixed environment, mostly Windows users, but also Linux and Macs, and requirement is to implement a 802.1x wired authentication for DHCP clients, with dynamic VLAN assignment. As a first layer of security, I've implemented this solution https://wiki.freeradius.org/guide/mac-auth with both mac authentication (reading allowed MAC addresses) and then proceeding with EAP-TLS (with certificates issued from Windows Active Directory Certificate Services). I've created machine certificate for freeradius server (2.2, running on CentOS 6) in AD CS, converted that one and root CA, and set up everything per that solution, and I can successfully authenticate with any Windows or Linux client with allowed MAC and user having their certificate. Now, I would like to add LDAP, in order to check the user's group permissions, and to set up dynamic vlan assignment per group membership (if a HR person is member of "HR" group, put him in VLAN 10, for example). I have Juniper access switches, so this solution should work. But, I am seeking advice from you here guys on how to proceed. I've installed LDAP module, and configured my settings in /etc/raddb/modules/ldap but where should the configuration for this takes place? Currently, my /etc/raddb/sites-available/default config looks the same as on the link above, and I am not sure if I can use the username of authorized user (which is in form of username@domain.com from the Windows user certificate) with LDAP to check the groups of that authorized user and assign him the correct VLAN? I've googled around, but what I found didn't help me much, so any help is more than appreciated! I guess it's easier to switch to MAC and LDAP and bypass EAP-TLS, but since we're already issuing certificates to users (and they use those Windows AD certificates for other services as well), I would like to use them here as well for authorization with MAC addresses. Thanks in advance!
Hi, do the LDAP check/VLAN assignment in the post-auth section of your default server ...with later versions of FR (eg 3.x) there are many TLS cert modules and functions you can use alan
Alan, thanks for the info, I also thought that I can do it there :) Can you please provide me with some example config? I am not that familiar with unlang Thanks! On Tue, Jan 3, 2017 at 6:26 PM, Petar Marinkovic <highl1@gmail.com> wrote:
I am quite a freeradius noob, so in advance, my apologies if this question of mine doesn't make too much sense.
I have a mixed environment, mostly Windows users, but also Linux and Macs, and requirement is to implement a 802.1x wired authentication for DHCP clients, with dynamic VLAN assignment.
As a first layer of security, I've implemented this solution https://wiki. freeradius.org/guide/mac-auth with both mac authentication (reading allowed MAC addresses) and then proceeding with EAP-TLS (with certificates issued from Windows Active Directory Certificate Services).
I've created machine certificate for freeradius server (2.2, running on CentOS 6) in AD CS, converted that one and root CA, and set up everything per that solution, and I can successfully authenticate with any Windows or Linux client with allowed MAC and user having their certificate.
Now, I would like to add LDAP, in order to check the user's group permissions, and to set up dynamic vlan assignment per group membership (if a HR person is member of "HR" group, put him in VLAN 10, for example). I have Juniper access switches, so this solution should work.
But, I am seeking advice from you here guys on how to proceed. I've installed LDAP module, and configured my settings in /etc/raddb/modules/ldap but where should the configuration for this takes place? Currently, my /etc/raddb/sites-available/default config looks the same as on the link above, and I am not sure if I can use the username of authorized user (which is in form of username@domain.com from the Windows user certificate) with LDAP to check the groups of that authorized user and assign him the correct VLAN?
I've googled around, but what I found didn't help me much, so any help is more than appreciated!
I guess it's easier to switch to MAC and LDAP and bypass EAP-TLS, but since we're already issuing certificates to users (and they use those Windows AD certificates for other services as well), I would like to use them here as well for authorization with MAC addresses.
Thanks in advance!
participants (2)
-
A.L.M.Buxey@lboro.ac.uk -
Petar Marinkovic