External HTTPS authentication

Arran Cudbard-Bell a.cudbardb at freeradius.org
Wed Nov 28 22:10:35 CET 2012


On 28 Nov 2012, at 21:00, Thiago A. V. Lima <tavl at gprt.ufpe.br> wrote:

> Hello mailing list.
> 
> What I'm actually trying to accomplish is this: 
> 
> I already have a modified version of an OpenID server, that doesn't require any user/password. The whole authentication is based on EAP-TLS between the browser and the Apache server, using the certificate email to identify the current user. (I control the whole CA chain, so I can trust the certificate embedded emails).
> 
> I'd like to make FreeRADIUS "forward" the user certificate (client side, WPA2-Enterprise scheme certificate, I mean) to my OpenID (Apache server with EAP-TLS) and, if the connection is correctly established, authenticate the user and move him to the correct VLAN. This way, I could have an integrated network and services (single sign-on) authentication process, "completely" transparent to the end-user (except for the network
> 
> So, if there was any already available module that could, for example, authenticate the RADIUS user using a "foreign" webservice or something like that, I think I could modify/adapt it to my EAP-TLS scenario.
> 
> Any suggestions?
> 

No, but that'd be really fun and i've cosidered doing something similar with MsCHAPv2 and ntlmauth. It's technically possible, but you're going to have to write your own code.

Feel free to use rlm_rest (in master branch) as a framework, you may find libcurl too limiting though, so you might want to create your own module based off of it.

-Arran


More information about the Freeradius-Users mailing list