EAP-TLS and EAP-PEAP with different authentication/authorization settings

Alan Buxey alan.buxey at gmail.com
Wed Jul 12 00:12:17 CEST 2017

Just use some unlang in the post-auth section to separate your EAP-TLS
policy from your PEAP decisions


On 11 Jul 2017 10:48 pm, "John Meyers" <john+freeradius at themeyers.us> wrote:

> Hello,
> I have what I think is a very common use case.  I'd like to support
> "dual stack" EAP-TLS and EAP-PEAP, the concept being that if a corporate
> device has a valid certificate and authenticates EPA-TLS it gets
> validated against one set of rules ultimately culminating with
> assignment in one or more VLANs, vs a BYOD device authenticated with
> EAP-PEAP that will go through a different authentication/authorization
> stack ending up in a different set of possible VLANs.
> We have the EAP-PEAP case working flawlessly on freeradius-3.0.4-6.el7.
> The problem is that when I enable the 'virtual_server' option for
> EAP-TLS, it still hits the default authentication/authorization stack
> resulting in searching the wrong LDAP (machines and people are separate)
> before it runs for the virtual server defined.  By the time it hits the
> virtual server, the request has already been denied as the LDAP object
> does not exist in the area it is looking for.  I would also like, if
> EAP-TLS is used, to ignore whatever username the client passes and
> instead use the client's CN from its certificate with regard to ldap
> authorization.
> If anyone has any advise on how to configure a completely divergent
> configuration that depends on whether or not the client is use TLS or
> PEAP, I would appreciate it.
> John
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html

More information about the Freeradius-Users mailing list