RE: EAP-TLS and LDAP with Windows Server 2012R2 Native Functional Level
On Tue, Oct 25, 2016 at 08:15:11PM -0400, Travis via Freeradius-Users wrote:
I was bitten by that too. Try changing it to:
Personally (and what I do here) I would use the check-eap-tls virtual server so you can check the actual contents of the certificate with LDAP, rather than relying on the contents of the User-Name attribute. Which a clients could easily spoof, but they can't spoof the certificate subject.
Many thanks Matthew! I didn't know there even was a check-eap-tls virtual server that I could use. Once I created a soft link and configured that I started getting more of what I was expecting to see.
For plain users, just call "ldap" in the inner tunnel as usual. Possibly wrapped around with a if EAP-Type == PEAP so it doesn't get called for hosts (check-eap-tls won't get called for PEAP as there is no client certificate, so you don't need that the other way around).
But essentially - look at the LDAP lookups that FreeRADIUS is doing, and then go update the configuration so it does the right lookups with the data it has available.
I had to do some minor tweaks to my sites-enabled\default config with some if statements: if (&User-Name == "host/%{TLS-Client-Cert-Common-Name}") { noop } elsif (!(&Ldap-Group == "CN=WiFi,OU=RSD Groups,DC=rsdtc,DC=com")) { reject } but now all the tablets with certificates are working along with users in a LDAP-Group. Thank you to everyone who responded with their insight and guidance. Now on to my next post regarding iPhones with certificates doing EAP-TLS failing. Travis
participants (1)
-
tj2718@aol.com