Freeradius + EAP-TLS + LDAP

Phil Mayers p.mayers at imperial.ac.uk
Wed Apr 20 13:06:54 CEST 2011


On 04/20/2011 11:37 AM, Alexandros Gougousoudis wrote:
> Hi Phil,
>
> Phil Mayers schrieb:
>> Ah, good. If you have NT-Password, PEAP/MS-CHAP should work.
> Great!
>> Yes. There are lots of ways to do this, depending on what key you want
>> to use for the lookup (machine account name, mac address, TLS cert
>> subject)
>>
>
> Thanks, I'll start to do this. Machine account name should work for me.
>
> Any hints, or how to do this? Is there somewhere an example availlable
> to start with?

Well, as I said - there are lots of ways of doing this.

The simplest possible way is to configure the LDAP module appropriately. 
Since you're doing both user- and host-based auth, you will need to make 
sure that the filter is correct:

raddb/modules/ldap:

   ...
   # the mschap:User-Name will turn:
   #
   # domain\user -> user
   # host/name.domain -> name$

   filter = "(samaccountname=%{mschap:User-Name})"

...and then you just call the "ldap" module in your "authorize" section e.g.

raddb/sites-enabled/default:

authorize {
   ...
   eap {
     ok = return
   }

   ldap
   if (notfound) {
     reject
   }

}

> I'am new to FR 2.1 and it's hard to make even my old config work on the
> test-maschine.

Unless you're a FreeRADIUS expert, you're going to find that hard. Start 
with a clean slate. Put the config into version control. Make small 
changes and test, then commit to version control when each change is 
done. Build your config up that way.



More information about the Freeradius-Users mailing list