Hi, I want to use EAP-TLS to verify client’s certificate and set policy based on the groups that the CN belongs to. How to do it? Thanks Jim
Hi, On Mon, Aug 31, 2015 at 04:26:16PM -0700, Jim Shi wrote:
I want to use EAP-TLS to verify client’s certificate and set policy based on the groups that the CN belongs to.
See the check-eap-tls virtual server, and the virtual_server option in mods-available/eap tls section. I've got something like this in check-eap-tls to only allow clients that in particular groups to connect: authorize { ldap update control { Auth-Type := Reject } if (Ldap-Group == "WinLaptop") { update control { Auth-Type := Accept } } if (Ldap-Group == "MacLaptop") { update control { Auth-Type := Accept } } } You need to configure ldap appropriately, for example (using Active Directory here, this ldap config is from FR v2): filter = "(servicePrincipalName=%{User-Name})" base_filter = "(objectClass=computer)" groupname_attribute = cn groupmembership_filter = "(&(objectClass=group)(member=%{control:Ldap-UserDn}))" Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
participants (2)
-
Jim Shi -
Matthew Newton