EAP-TLS and EAP-PEAP with different authentication/authorization settings

Alan DeKok aland at deployingradius.com
Wed Jul 12 16:29:03 CEST 2017

On Jul 12, 2017, at 10:20 AM, John Meyers <john+freeradius at themeyers.us> wrote:
> Grateful for your help.  You are indeed correct, I was using the
> 'authorize' section for the rules, since that is where the 'files'
> directive (that refers to mods-config/files/authorize) is placed in the
> out-of-the-box sample configuration.  I am still confused though, since
> I want to look in different LDAP locations depending on if the client is
> a human (PEAP) or a machine (TLS).  Doesn't ldap need to run in the
> 'authorize' section?  Here is the pseudo-code of what I am trying to
> accomplish:

  LDAP can run in the authorize section, but it can also run elsewhere.

> if (EAP-Type == TLS) {
>  # Client is a machine, override username given with what is on the
> cert and get attributes from LDAP
>  Username = ClientCert-CN

  Don't change the User-Name.  It's a bad idea.  It will break EAP.

  Instead, create a *new* attribute which can then be used in the LDAP queries.  In this case, Stripped-User-Name will probably Just work.

>  get-ldap-machine-attributes

  Is that a different LDAP module than for PEAP?  i.e. are the queries / baseDN different?

  This probably goes into the "post-auth" section, too.

>  case LDAP-Group {
>     Group-1: VLAN=100,
>     Group-2: VLAN=200,
>     Default: Reject

  This can go into the "post-auth" section of the "default" virtual server:

	if (LDAP-Group == "group1") {
		update reply {
			.. VLAN stuff...
	elsif (LDAP-Group == "group2" {
		update reply {
			.. VLAN stuff...
	else {

>  }
> if (EAP-Type == PEAP)
>  # Client is a human, authenticate against LDAP with provided
> username/password
>  ldap-authenticate-person
>  get-ldap-person-attributes

  Again, what LDAP module / queries / basedn is used here?

  And if it's PEAP.. the LDAP checks go into the "inner-tunnel" visual server.  Because that's where the real name / password is located.  These checks *cannot* go into the "default" virtual server.

>  case LDAP-Group {
>     Group-1: VLAN=500,
>     Group-2: VLAN=600,
>     Default: Reject
>  }

  Same comments as above.

  And upgrade to 3.0.14.  You will likely run into issues with 3.0.4 that are best fixed by an upgrade.

  Alan DeKok.

More information about the Freeradius-Users mailing list