EAP-TLS and Active Directory

Wed Nov 25 10:36:13 CET 2015

> On 25 Nov 2015, at 09:22, Simon Larsson <simlar at live.se> wrote:
> 
> Hi there!
> 
> I’m having a problem where I don’t fully understand exactly how EAP-TLS works in regards to authorization.
> 
> I'm trying to implement a 802.1x wireless network which uses EAP-TLS for security reasons. I already have a Windows server with a Certificate Authority, so that's not really an issue. All I have to do there is to create the certificates and then insert them into both the FreeRADIUS server and all the clients.
> 
> Here’s my problem. As I understand it, EAP-TLS uses the certificates for authentication and therefor my users credentials become less important (not needed to log in to the network).
> Now, if my users never enter their credentials and the FreeRADIUS server never checks with Active Directory for authorization, what decides what network resources a specific user should have access to?
> 
> My goal here is to have it so that when a user connects to the network, the user should automatically get access that users network resources.
> 

Lots of different ways to do this.  But, off the top of my head…

use some xlat ldap queries in the post-auth section using the CN from the certificate.

Regards

Scott Armitage

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 204 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20151125/7642f2bd/attachment.sig>