Authorize with EAP-TLS, but use LDAP for authentication to check user's group membership

Petar Marinkovic highl1 at gmail.com
Tue Jan 3 18:26:07 CET 2017


I am quite a freeradius noob, so in advance, my apologies if this question
of mine doesn't make too much sense.

I have a mixed environment, mostly Windows users, but also Linux and Macs,
and requirement is to implement a 802.1x wired authentication for DHCP
clients, with dynamic VLAN assignment.

As a first layer of security, I've implemented this solution
https://wiki.freeradius.org/guide/mac-auth with both mac authentication
(reading allowed MAC addresses) and then proceeding with EAP-TLS (with
certificates issued from Windows Active Directory Certificate Services).

I've created machine certificate for freeradius server (2.2, running on
CentOS 6) in AD CS, converted that one and root CA, and set up everything
per that solution, and I can successfully authenticate with any Windows or
Linux client with allowed MAC and user having their certificate.

Now, I would like to add LDAP, in order to check the user's group
permissions, and to set up dynamic vlan assignment per group membership (if
a HR person is member of "HR" group, put him in VLAN 10, for example). I
have Juniper access switches, so this solution should work.

But, I am seeking advice from you here guys on how to proceed. I've
installed LDAP module, and configured my settings in
/etc/raddb/modules/ldap but where should the configuration for this takes
place? Currently, my /etc/raddb/sites-available/default config looks the
same as on the link above, and I am not sure if I can use the username of
authorized user (which is in form of username at domain.com from the Windows
user certificate) with LDAP to check the groups of that authorized user and
assign him the correct VLAN?

I've googled around, but what I found didn't help me much, so any help is
more than appreciated!

I guess it's easier to switch to MAC and LDAP and bypass EAP-TLS, but since
we're already issuing certificates to users (and they use those Windows AD
certificates for other services as well), I would like to use them here as
well for authorization with MAC addresses.

Thanks in advance!


More information about the Freeradius-Users mailing list