EAP-TLS
Matthew Newton
mcn4 at leicester.ac.uk
Tue Sep 1 12:39:48 CEST 2015
Hi,
On Mon, Aug 31, 2015 at 04:26:16PM -0700, Jim Shi wrote:
> I want to use EAP-TLS to verify client’s certificate and set
> policy based on the groups that the CN belongs to.
See the check-eap-tls virtual server, and the virtual_server
option in mods-available/eap tls section.
I've got something like this in check-eap-tls to only allow
clients that in particular groups to connect:
authorize {
ldap
update control {
Auth-Type := Reject
}
if (Ldap-Group == "WinLaptop") {
update control {
Auth-Type := Accept
}
}
if (Ldap-Group == "MacLaptop") {
update control {
Auth-Type := Accept
}
}
}
You need to configure ldap appropriately, for example (using
Active Directory here, this ldap config is from FR v2):
filter = "(servicePrincipalName=%{User-Name})"
base_filter = "(objectClass=computer)"
groupname_attribute = cn
groupmembership_filter = "(&(objectClass=group)(member=%{control:Ldap-UserDn}))"
Matthew
--
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>
Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
More information about the Freeradius-Users
mailing list