freeradius2 with EAP-TLS and LDAP authorization ?
Hello, is it possible in some way to use EAP-TLS X509 authentication together with LDAP authorization in freeradius2 ? Actually freeradius2 allows EAP-TLS authentication, but if I wanted to extract the emailAddress or CN field from the X509 certificate and authorize it against my LDAP tree information to allow or disallow WiFi access, is it possible ?? Or the only way to authorize a EAP-TLS X509 user is only thru freeradius2 users file ? thanks Rick
Riccardo Veraldi wrote:
Hello, is it possible in some way to use EAP-TLS X509 authentication together with LDAP authorization in freeradius2 ?
Yes. You can look the username up in LDAP, and reject the request if the user doesn't exist.
Actually freeradius2 allows EAP-TLS authentication, but if I wanted to extract the emailAddress or CN field from the X509 certificate and authorize it against my LDAP tree information to allow or disallow WiFi access, is it possible ??
Not really, no.
Or the only way to authorize a EAP-TLS X509 user is only thru freeradius2 users file ?
The limitation isn't the users file. It's that extracting the fields from the certificate is hard. Patches are welcome. Alan DeKok.
RV> but if I wanted to extract the emailAddress or CN field from the RV> X509 certificate and authorize it against my LDAP tree AdK> The limitation isn't the users file. AdK> It's that extracting the fields from the certificate is hard. I don't understand. rlm_eap's check_cert_cn must be able to extract the CN from the user certificate in order to check it against User-Name (or whatever). Or at least, with check_cert_cn = %{User-Name}, you can substitute User-Name for an extracted CN for whatever additional lookup you need. Or am I getting it wrong?
Edgar Fuß wrote:
I don't understand. rlm_eap's check_cert_cn must be able to extract the CN from the user certificate in order to check it against User-Name (or whatever).
Yes...
Or at least, with check_cert_cn = %{User-Name}, you can substitute User-Name for an extracted CN for whatever additional lookup you need.
Yes.
Or am I getting it wrong?
No. But there's no code to extract other fields from the cert. Alan DeKok.
For starting it should be enough but what I am not able to do is to set up the correct sequence. First I need to extract the CN field (which can be done and I Already did and I can set up a list of allowed CN in hte users file), and after I need to do an LDAP query to check for authorization. How can I do the following in this exact order ? LDAP authorization is tryed first then comes authentication or am I wrong ? What I'd need is to extract the CN and check it against LDAP attributes... How might I do it ? thank you Riccardo Alan DeKok wrote:
Edgar Fuß wrote:
I don't understand. rlm_eap's check_cert_cn must be able to extract the CN from the user certificate in order to check it against User-Name (or whatever).
Yes...
Or at least, with check_cert_cn = %{User-Name}, you can substitute User-Name for an extracted CN for whatever additional lookup you need.
Yes.
Or am I getting it wrong?
No. But there's no code to extract other fields from the cert.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Riccardo Veraldi wrote:
First I need to extract the CN field (which can be done and I Already did
You can't *extract* the CN field. You can *compare* the CN field to another value, as shown in the eap.conf file.
and I can set up a list of allowed CN in hte users file), and after I need to do an LDAP query to check for authorization. How can I do the following in this exact order ?
You edit the config files so that the "ldap" module is run after the "users" file.
LDAP authorization is tryed first then comes authentication or am I wrong ?
Yes.
What I'd need is to extract the CN and check it against LDAP attributes... How might I do it ?
You can't. To do that, you will need to edit the source code to add that feature. Alan DeKok.
participants (3)
-
Alan DeKok -
Edgar Fuß -
Riccardo Veraldi