checking whether an AD accou t is enabled or disabled in FR 3.0.17

Alan DeKok aland at
Fri Jul 13 13:19:41 CEST 2018

On Jul 13, 2018, at 6:26 AM, Alex Sharaz via Freeradius-Users <freeradius-users at> wrote:
> I've been trialing eap-tls for users for quite a while. Unfortunately
> our security people insisted that in addition to eap-tls I had to
> check that the associated users AD account was also enabled. In
> clearpass ( on site authentication service) this is a simple thing to
> do.
> So on campus a user can use eap-tls on their client providing their AD
> account is enabled. If account enabled Access-Accept, if not
> Access-Reject.

  That can be checked via an LDAP query.

> However, our external facing RADIUS servers are FR 3.0.17 boxes acting
> as our ORPS systems. Inbound from the outside world EAP-TLS requests
> get handled by freeradius which then performs an OCSP validation
> request.

  Which makes the AD queries unnecessary.  But whatever...

> This all works except for the fact I'm not checking for an enabled AD
> account. FR is configured to use winbindd. The TLS cert CN is of the
> form <userid>-<4digit hex number>
> Is there any way of me checking for an enabled AD account? e.g.
> ntlm_auth using userid component of the CN and checking a status
> response ? or another way ?

  Just use LDAP.  Split the username via a regex, and then do an LDAP query to see if the account is enabled.

  Test via the LDAP client command line.  Then use that in FreeRADIUS.

	if ("%{ldap:...}" ...) 

  Alan DeKok.

More information about the Freeradius-Users mailing list