EAP-TLS and Active Directory

Simon Larsson simlar at live.se
Wed Nov 25 12:46:32 CET 2015

> We check the certificate subject against the AD LDAP to ensure
> that the machine is permitted to connect.
> It should be simple to put machines in groups and then assign a
> VLAN for each group, or even put the VLAN number in LDAP if you
> really wanted to then just pull the value out in FreeRADIUS.
> But remember with AD/Windows this is normally not really "user"
> authentication - it is "machine" authentication, so the VLAN will
> be for the computer rather than the specific user, unless you
> generate certificates for all your users and somehow get them
> authenticating on to the network using that (e.g. in Windows you
> could set to "user" auth and then use smartcards).
> Matthew

My thought was to create specific certificates for every single user. I think I understand different ways to tell FreeRADIUS what VLAN to put a specific user or group in, but what about shared folders and stuff like that? The certificate would authenticate the user on to the network by communicating with the FreeRADIUS server, but when it comes to authorization there need to be some connection with the Windows server or am I misunderstanding this? 		 	   		  

More information about the Freeradius-Users mailing list