Authorize with EAP-TLS, but use LDAP for authentication to check user's group membership

Petar Marinkovic highl1 at
Tue Jan 3 23:56:05 CET 2017

Alan, thanks for the info, I also thought that I can do it there :)
Can you please provide me with some example config? I am not that familiar
with unlang


On Tue, Jan 3, 2017 at 6:26 PM, Petar Marinkovic <highl1 at> wrote:

> I am quite a freeradius noob, so in advance, my apologies if this question
> of mine doesn't make too much sense.
> I have a mixed environment, mostly Windows users, but also Linux and Macs,
> and requirement is to implement a 802.1x wired authentication for DHCP
> clients, with dynamic VLAN assignment.
> As a first layer of security, I've implemented this solution https://wiki.
> with both mac authentication (reading
> allowed MAC addresses) and then proceeding with EAP-TLS (with certificates
> issued from Windows Active Directory Certificate Services).
> I've created machine certificate for freeradius server (2.2, running on
> CentOS 6) in AD CS, converted that one and root CA, and set up everything
> per that solution, and I can successfully authenticate with any Windows or
> Linux client with allowed MAC and user having their certificate.
> Now, I would like to add LDAP, in order to check the user's group
> permissions, and to set up dynamic vlan assignment per group membership (if
> a HR person is member of "HR" group, put him in VLAN 10, for example). I
> have Juniper access switches, so this solution should work.
> But, I am seeking advice from you here guys on how to proceed. I've
> installed LDAP module, and configured my settings in
> /etc/raddb/modules/ldap but where should the configuration for this takes
> place? Currently, my /etc/raddb/sites-available/default config looks the
> same as on the link above, and I am not sure if I can use the username of
> authorized user (which is in form of username at from the Windows
> user certificate) with LDAP to check the groups of that authorized user and
> assign him the correct VLAN?
> I've googled around, but what I found didn't help me much, so any help is
> more than appreciated!
> I guess it's easier to switch to MAC and LDAP and bypass EAP-TLS, but
> since we're already issuing certificates to users (and they use those
> Windows AD certificates for other services as well), I would like to use
> them here as well for authorization with MAC addresses.
> Thanks in advance!

More information about the Freeradius-Users mailing list