EAP-TLS and Active Directory
Matthew Newton
mcn4 at leicester.ac.uk
Wed Nov 25 12:07:23 CET 2015
On Wed, Nov 25, 2015 at 10:22:52AM +0100, Simon Larsson wrote:
> My goal here is to have it so that when a user connects to the
> network, the user should automatically get access that users
> network resources.
As has been said there are many ways to do this.
We check the certificate subject against the AD LDAP to ensure
that the machine is permitted to connect.
It should be simple to put machines in groups and then assign a
VLAN for each group, or even put the VLAN number in LDAP if you
really wanted to then just pull the value out in FreeRADIUS.
But remember with AD/Windows this is normally not really "user"
authentication - it is "machine" authentication, so the VLAN will
be for the computer rather than the specific user, unless you
generate certificates for all your users and somehow get them
authenticating on to the network using that (e.g. in Windows you
could set to "user" auth and then use smartcards).
Matthew
--
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>
Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
More information about the Freeradius-Users
mailing list