freeradius2 with EAP-TLS and LDAP authorization ?

Alan DeKok aland at
Sat Jul 3 10:34:09 CEST 2010

Riccardo Veraldi wrote:
> Hello,
> is it possible in some way to use EAP-TLS X509 authentication together
> with  LDAP authorization in freeradius2 ?

  Yes.  You can look the username up in LDAP, and reject the request if
the user doesn't exist.

> Actually freeradius2 allows EAP-TLS authentication, but if I wanted to
> extract the emailAddress or CN field
> from the X509 certificate and authorize it against my LDAP tree
> information to allow or disallow WiFi access,
> is it possible ??

  Not really, no.

> Or the only way to authorize a EAP-TLS X509 user is only thru
> freeradius2 users file ?

  The limitation isn't the users file.  It's that extracting the fields
from the certificate is hard.

  Patches are welcome.

  Alan DeKok.

More information about the Freeradius-Users mailing list