EAP-TLS and Active Directory
Scott Armitage
S.P.Armitage at lboro.ac.uk
Wed Nov 25 10:36:13 CET 2015
> On 25 Nov 2015, at 09:22, Simon Larsson <simlar at live.se> wrote:
>
> Hi there!
>
> I’m having a problem where I don’t fully understand exactly how EAP-TLS works in regards to authorization.
>
> I'm trying to implement a 802.1x wireless network which uses EAP-TLS for security reasons. I already have a Windows server with a Certificate Authority, so that's not really an issue. All I have to do there is to create the certificates and then insert them into both the FreeRADIUS server and all the clients.
>
> Here’s my problem. As I understand it, EAP-TLS uses the certificates for authentication and therefor my users credentials become less important (not needed to log in to the network).
> Now, if my users never enter their credentials and the FreeRADIUS server never checks with Active Directory for authorization, what decides what network resources a specific user should have access to?
>
> My goal here is to have it so that when a user connects to the network, the user should automatically get access that users network resources.
>
Lots of different ways to do this. But, off the top of my head…
use some xlat ldap queries in the post-auth section using the CN from the certificate.
Regards
Scott Armitage
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 204 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20151125/7642f2bd/attachment.sig>
More information about the Freeradius-Users
mailing list