Active Directory authentication question

Arran Cudbard-Bell a.cudbardb at
Wed Sep 18 16:51:10 CEST 2013

On 18 Sep 2013, at 15:39, Roberto Carna <robertocarna36 at> wrote:

> Sorry, so I'm a bit confused...
> I'm using Windows 7 clients for accesing the WiFi network through
> EAP-TLS with X.509 certificates. But in this way, I could see that I
> can authenticate users or hosts...if I choose users, I can see a
> dialog box to fill user and password and I suppose they are checked
> against MySQL database (because I see the query in debug mode). Is
> this correct or not ???

MySQL can be used to retrieve additional attributes associated with a
given user/host.  It can even perform lookups based on fields in the 
cert presented, but it can't be used to store X.509 certificate data.

> And finally, if I use EAP-TLS with X.509 certificates, do you mean I
> don't need to use the authentication against the active directory
> database ??? Maybe this is easier to me because I've put EAP-TLS to
> work.

No, the easier way is to complete the certificate chain using the 
signing cert which created the client certs in the first place. This needs
to be made available to the EAP-TLS module.


Arran Cudbard-Bell <a.cudbardb at>
FreeRADIUS Development Team

More information about the Freeradius-Users mailing list