EAP-TLS and EAP-PEAP with different authentication/authorization settings

John Meyers john+freeradius at themeyers.us
Tue Jul 11 23:48:28 CEST 2017


I have what I think is a very common use case.  I'd like to support
"dual stack" EAP-TLS and EAP-PEAP, the concept being that if a corporate
device has a valid certificate and authenticates EPA-TLS it gets
validated against one set of rules ultimately culminating with
assignment in one or more VLANs, vs a BYOD device authenticated with
EAP-PEAP that will go through a different authentication/authorization
stack ending up in a different set of possible VLANs.

We have the EAP-PEAP case working flawlessly on freeradius-3.0.4-6.el7. 
The problem is that when I enable the 'virtual_server' option for
EAP-TLS, it still hits the default authentication/authorization stack
resulting in searching the wrong LDAP (machines and people are separate)
before it runs for the virtual server defined.  By the time it hits the
virtual server, the request has already been denied as the LDAP object
does not exist in the area it is looking for.  I would also like, if
EAP-TLS is used, to ignore whatever username the client passes and
instead use the client's CN from its certificate with regard to ldap

If anyone has any advise on how to configure a completely divergent
configuration that depends on whether or not the client is use TLS or
PEAP, I would appreciate it.


More information about the Freeradius-Users mailing list