Matthew Newton mcn4 at leicester.ac.uk
Tue Sep 1 12:39:48 CEST 2015


On Mon, Aug 31, 2015 at 04:26:16PM -0700, Jim Shi wrote:
> I want to use EAP-TLS to verify client’s certificate and set
> policy based on the groups that the CN belongs to. 

See the check-eap-tls virtual server, and the virtual_server
option in mods-available/eap tls section.

I've got something like this in check-eap-tls to only allow
clients that in particular groups to connect:

authorize {

  update control {
    Auth-Type := Reject

  if (Ldap-Group == "WinLaptop") {
    update control {
      Auth-Type := Accept

  if (Ldap-Group == "MacLaptop") {
    update control {
      Auth-Type := Accept

You need to configure ldap appropriately, for example (using
Active Directory here, this ldap config is from FR v2):

  filter = "(servicePrincipalName=%{User-Name})"
  base_filter = "(objectClass=computer)"
  groupname_attribute = cn
  groupmembership_filter = "(&(objectClass=group)(member=%{control:Ldap-UserDn}))"


Matthew Newton, Ph.D. <mcn4 at le.ac.uk>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>

More information about the Freeradius-Users mailing list