EAP-TLS and Active Directory

Scott Armitage S.P.Armitage at lboro.ac.uk
Wed Nov 25 10:36:13 CET 2015

> On 25 Nov 2015, at 09:22, Simon Larsson <simlar at live.se> wrote:
> Hi there!
> I’m having a problem where I don’t fully understand exactly how EAP-TLS works in regards to authorization.
> I'm trying to implement a 802.1x wireless network which uses EAP-TLS for security reasons. I already have a Windows server with a Certificate Authority, so that's not really an issue. All I have to do there is to create the certificates and then insert them into both the FreeRADIUS server and all the clients.
> Here’s my problem. As I understand it, EAP-TLS uses the certificates for authentication and therefor my users credentials become less important (not needed to log in to the network).
> Now, if my users never enter their credentials and the FreeRADIUS server never checks with Active Directory for authorization, what decides what network resources a specific user should have access to?
> My goal here is to have it so that when a user connects to the network, the user should automatically get access that users network resources.

Lots of different ways to do this.  But, off the top of my head…

use some xlat ldap queries in the post-auth section using the CN from the certificate.


Scott Armitage

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 204 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20151125/7642f2bd/attachment.sig>

More information about the Freeradius-Users mailing list