EAP-TLS and EAP-PEAP with different authentication/authorization settings
John Meyers
john+freeradius at themeyers.us
Wed Jul 12 00:22:42 CEST 2017
Would you mind giving a hint on what this might look like? I'm not
familiar with what variable would carry the authentication type, and
debug mode does not seem to reveal it.
Many thanks for the help!
John
On 7/11/17 6:12 PM, Alan Buxey wrote:
> Just use some unlang in the post-auth section to separate your EAP-TLS
> policy from your PEAP decisions
>
> alan
>
> On 11 Jul 2017 10:48 pm, "John Meyers" <john+freeradius at themeyers.us> wrote:
>
>> Hello,
>>
>> I have what I think is a very common use case. I'd like to support
>> "dual stack" EAP-TLS and EAP-PEAP, the concept being that if a corporate
>> device has a valid certificate and authenticates EPA-TLS it gets
>> validated against one set of rules ultimately culminating with
>> assignment in one or more VLANs, vs a BYOD device authenticated with
>> EAP-PEAP that will go through a different authentication/authorization
>> stack ending up in a different set of possible VLANs.
>>
>> We have the EAP-PEAP case working flawlessly on freeradius-3.0.4-6.el7.
>> The problem is that when I enable the 'virtual_server' option for
>> EAP-TLS, it still hits the default authentication/authorization stack
>> resulting in searching the wrong LDAP (machines and people are separate)
>> before it runs for the virtual server defined. By the time it hits the
>> virtual server, the request has already been denied as the LDAP object
>> does not exist in the area it is looking for. I would also like, if
>> EAP-TLS is used, to ignore whatever username the client passes and
>> instead use the client's CN from its certificate with regard to ldap
>> authorization.
>>
>> If anyone has any advise on how to configure a completely divergent
>> configuration that depends on whether or not the client is use TLS or
>> PEAP, I would appreciate it.
>>
>> John
>>
>>
>>
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/
>> list/users.html
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list