FreeRadius EAP-TLS Auth using Email Address
We have a requirement to authenticate devices to WIFI using the user's email address stored in AD. The devices are enrolled into InTune and the only shared piece of information is the email address. How can I change FreeRadius to authenticate using the email address instead of the username? Do I need to perform some form of LDAPSearch using the email address to get the username? Will this work with EAP authentication using SSL certs? The SSL certs are created OnPrem and use the email address. Any ideas? Regards, Phil Lowes ************************************************************************************** ****************************** This message may contain confidential information. If you are not the intended recipient please: i) inform the sender that you have received the message in error before deleting it; and ii) do not disclose, copy or distribute information in this e-mail or take any action in relation to its content (to do so is strictly prohibited and may be unlawful). Thank you for your co-operation. NHSmail is the secure email, collaboration and directory service available for all NHS staff in England. NHSmail is approved for exchanging patient data and other sensitive information with NHSmail and other accredited email services. For more information and to find out how you can switch visit Joining NHSmail - NHSmail Support<https://support.nhs.net/article-categories/joining-nhsmail/>
On Jan 31, 2024, at 6:57 AM, LOWES, Phil (LEICESTERSHIRE PARTNERSHIP NHS TRUST) via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
We have a requirement to authenticate devices to WIFI using the user's email address stored in AD. The devices are enrolled into InTune and the only shared piece of information is the email address.
How can I change FreeRadius to authenticate using the email address instead of the username?
That question is a bit confused. The server gets a User-Name attribute in an Access-Request. That User-Name contains some value. FreeRADIUS typically looks that value up in a database, and then gets a password back from that. FreeRADIUS then uses the password to authenticate the user.
Do I need to perform some form of LDAPSearch using the email address to get the username?
Perhaps. Or, you maybe you can modify the LDAP queries to find an account where the email address in the DB matches the User-Name. i.e. break the problem into discrete bits of information, and then connect them together. Run small tests to verify what you can do. Can you look up the email address in LDAP, and get a user ID? Or can you use the email address to get a matching password?
Will this work with EAP authentication using SSL certs? The SSL certs are created OnPrem and use the email address.
If you're using EAP-TLS, then it doesn't use or check passwords. Alan DeKok.
Thanks Alan. I've found a script that pulls the username from AD using the email address and then authenticates using the username. It's certainly been a learning experience 😊 Regards, Phil Lowes -----Original Message----- From: Alan DeKok <aland@deployingradius.com> Sent: Wednesday, January 31, 2024 12:21 PM To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Cc: LOWES, Phil (LEICESTERSHIRE PARTNERSHIP NHS TRUST) <phil.lowes@nhs.net> Subject: Re: FreeRadius EAP-TLS Auth using Email Address [You don't often get email from aland@deployingradius.com. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ] This message originated from outside of NHSmail. Please do not click links or open attachments unless you recognise the sender and know the content is safe. On Jan 31, 2024, at 6:57 AM, LOWES, Phil (LEICESTERSHIRE PARTNERSHIP NHS TRUST) via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
We have a requirement to authenticate devices to WIFI using the user's email address stored in AD. The devices are enrolled into InTune and the only shared piece of information is the email address.
How can I change FreeRadius to authenticate using the email address instead of the username?
That question is a bit confused. The server gets a User-Name attribute in an Access-Request. That User-Name contains some value. FreeRADIUS typically looks that value up in a database, and then gets a password back from that. FreeRADIUS then uses the password to authenticate the user.
Do I need to perform some form of LDAPSearch using the email address to get the username?
Perhaps. Or, you maybe you can modify the LDAP queries to find an account where the email address in the DB matches the User-Name. i.e. break the problem into discrete bits of information, and then connect them together. Run small tests to verify what you can do. Can you look up the email address in LDAP, and get a user ID? Or can you use the email address to get a matching password?
Will this work with EAP authentication using SSL certs? The SSL certs are created OnPrem and use the email address.
If you're using EAP-TLS, then it doesn't use or check passwords. Alan DeKok. ************************************************************************************** ****************************** This message may contain confidential information. If you are not the intended recipient please: i) inform the sender that you have received the message in error before deleting it; and ii) do not disclose, copy or distribute information in this e-mail or take any action in relation to its content (to do so is strictly prohibited and may be unlawful). Thank you for your co-operation. NHSmail is the secure email, collaboration and directory service available for all NHS staff in England. NHSmail is approved for exchanging patient data and other sensitive information with NHSmail and other accredited email services. For more information and to find out how you can switch visit Joining NHSmail – NHSmail Support<https://support.nhs.net/article-categories/joining-nhsmail/>
On 02/02/2024 08:45, LOWES, Phil (LEICESTERSHIRE PARTNERSHIP NHS TRUST) via Freeradius-Users wrote:
I've found a script that pulls the username from AD using the email address and then authenticates using the username.
Just note that if you mean running an external script (e.g. shell, perl, etc) then performance will really suffer. As Alan suggested, looking up in LDAP will be the thing to do, and you can do that directly from within FreeRADIUS. It's still a bit confusing as to exactly how you are trying to set things up, so answers can't really be much more specific. -- Matthew
On Feb 2, 2024, at 6:51 AM, Matthew Newton via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
On 02/02/2024 08:45, LOWES, Phil (LEICESTERSHIRE PARTNERSHIP NHS TRUST) via Freeradius-Users wrote:
I've found a script that pulls the username from AD using the email address and then authenticates using the username.
Just note that if you mean running an external script (e.g. shell, perl, etc) then performance will really suffer.
Exactly. The phrase "I found a script" sounds a lot like "I found a magic incantation". But computers aren't magic. The script just does LDAP lookups. FreeRADIUS can also do LDAP lookups. So why not *understand* what the script does, and re-implement it in FreeRADIUS? It should be about 5-10 lines of "unlang", and it will be about 100x faster than a script. An even more important benefit is that you will understand what it does, and why it works. That way if anything goes wrong, you can figure it out, instead of looking for another magic incantation to fix it. Alan DeKok.
Mandi! "LOWES, Phil \(LEICESTERSHIRE PARTNERSHIP NHS TRUST\) via Freeradius-Users" In chel di` si favelave...
How can I change FreeRadius to authenticate using the email address instead of the username?
I think is more a matter of winbind, than freeradius. Winbind is able to authenticate using email? Typically, the email is also the UPN? -- We certainly would not want to have the same kind of democracy as they have in Iraq (President Vladimir Putin, responding to U.S. President George W. Bush's suggestion that Russia should be more democratic, taken from NewsWeek)
Our email addresses are different form our UPNs which why we need to convert the email supplied in the EAP-TLS client cert. This is what I found to convert the supplied email address into a usable AD username: #!/bin/bash MAIL=${1:11} NTDOMAIN=${2:9} CHALLENGE=${3:12} NTRESPONSE=${4:14} HOST="ldap://xxxxxxxxxxxxxx:3268" BASE_DN="DC=xxxxxxxxxxxxxx" ADUser="xxxxxxxxxxxxxxxxxxxxxxx" PASSWORD="xxxxxxxxxxxxxxxxxxxxxxxxxx" FILTER="mail=$MAIL" strUserName=`ldapsearch -LLL -x -D "$ADUser" -w "$PASSWORD" -b "$BASE_DN" -H "$HOST" "$FILTER" extensionAttribute15 | grep extensionAttribute15 | awk '{print $2}'` echo "$MAIL is $strUserName" /usr/bin/ntlm_auth --request-nt-key --username=$strUserName --domain=$NTDOMAIN --challenge=$CHALLENGE --nt- response=$NTRESPONSE The site I found then suggested inside the mschap-module to call the bash-script instead of calling directly ntlm_auth: ntlm_auth = "/usr/bin/mail_to_username %{mschap:User-Name:-None} %{%{mschap:NT-Domain}:-EXAMPLE} %{mschap:Challenge:-00} % {mschap:NT-Response:-00}" Can Freeradius perform the LDAP search natively within the module and return the username for the ntlm_auth command? Regards, Phil Lowes -----Original Message----- From: Freeradius-Users <freeradius-users-bounces+phil.lowes=nhs.net@lists.freeradius.org> On Behalf Of Marco Gaiarin Sent: Friday, February 2, 2024 12:29 PM To: LOWES, Phil (LEICESTERSHIRE PARTNERSHIP NHS TRUST) via Freeradius-Users <freeradius-users@lists.freeradius.org> Cc: freeradius-users@lists.freeradius.org Subject: Re: FreeRadius EAP-TLS Auth using Email Address [You don't often get email from gaio@lilliput.linux.it. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ] This message originated from outside of NHSmail. Please do not click links or open attachments unless you recognise the sender and know the content is safe. Mandi! "LOWES, Phil \(LEICESTERSHIRE PARTNERSHIP NHS TRUST\) via Freeradius-Users" In chel di` si favelave...
How can I change FreeRadius to authenticate using the email address instead of the username?
I think is more a matter of winbind, than freeradius. Winbind is able to authenticate using email? Typically, the email is also the UPN? -- We certainly would not want to have the same kind of democracy as they have in Iraq (President Vladimir Putin, responding to U.S. President George W. Bush's suggestion that Russia should be more democratic, taken from NewsWeek) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ************************************************************************************** ****************************** This message may contain confidential information. If you are not the intended recipient please: i) inform the sender that you have received the message in error before deleting it; and ii) do not disclose, copy or distribute information in this e-mail or take any action in relation to its content (to do so is strictly prohibited and may be unlawful). Thank you for your co-operation. NHSmail is the secure email, collaboration and directory service available for all NHS staff in England. NHSmail is approved for exchanging patient data and other sensitive information with NHSmail and other accredited email services. For more information and to find out how you can switch visit Joining NHSmail – NHSmail Support<https://support.nhs.net/article-categories/joining-nhsmail/>
On 05/02/2024 15:53, LOWES, Phil (LEICESTERSHIRE PARTNERSHIP NHS TRUST) via Freeradius-Users wrote:
Our email addresses are different form our UPNs which why we need to convert the email supplied
OK.
in the EAP-TLS client cert.
I suspect you mean in the RADIUS request? If you're using EAP-TLS with a client cert then you very likely won't also be using ntlm_auth.
This is what I found to convert the supplied email address into a usable AD username:
Ouch, OK.
The site I found then suggested inside the mschap-module to call the bash-script instead of calling directly ntlm_auth:
More awful advice on the Internet :(
ntlm_auth = "/usr/bin/mail_to_username %{mschap:User-Name:-None} %{%{mschap:NT-Domain}:-EXAMPLE} %{mschap:Challenge:-00} % {mschap:NT-Response:-00}"
Can Freeradius perform the LDAP search natively within the module and return the username for the ntlm_auth command?
Yes, you can do all of this directly from within FreeRADIUS. Configure the LDAP module (raddb/mods-enabled/ldap) - you will see in there the "update" section (not the same as unlang's update) where you can map LDAP attributes to RADIUS attributes. So you will want something like update { request:Tmp-String-1 := 'extensionAttribute15' } then assuming a good LDAP search the &Tmp-String-1 attribute will contain the value of the 'extensionAttribute15' LDAP attribute - which you can use in e.g. the ntlm_auth command, or preferably with the direct winbind configuration in mschap. You will need to use the filters etc in the ldap module configuration to look up the correct entry. If you need to modify the attributes used in the lookup then use regular expressions or similar in unlang to transform the data before calling the ldap module. -- Matthew
participants (4)
-
Alan DeKok -
LOWES, Phil (LEICESTERSHIRE PARTNERSHIP NHS TRUST) -
Marco Gaiarin -
Matthew Newton