Post-Auth LDAP with computer names rather than usernames
Alan DeKok
aland at deployingradius.com
Mon Oct 22 18:13:18 CEST 2018
On Oct 22, 2018, at 12:05 PM, Kevin Virk <Kevin.Virk at faithlife.com> wrote:
>
> I recently sparked a discussion regarding post-auth with computer names rather than usernames and I did not include complete information, my apologies. I am currently using EAP-TLS and have crafted certificates based on usernames. Alan had responded saying that post-auth via Ldap was possible if you make certs with workstations names included. I can do this my question is then does the stripped username take the computer name and then do my ldap queries just need to change to check workstation groups rather than security groups ? Thank you in advance for any help.
The default configuration uses Stripped-User-Name if it exists, or else it uses User-Name.
The LDAP queries need to check the correct group, whatever that is.
The point here is to understand (a) what you have, and (b) what you want to do with it. Once you've written everything down, the solution is usually pretty simple.
i.e. How do you tell the difference between users authenticating and computes authentication?
Well... look at the certs and the debug output. See what's different and then write policies that key off of that.
Most people run into problems because they want FreeRADIUS to "do the right thing". When? Always. How? Mumble mumble...
The hardest part of most configurations is convincing the admins to come up with a detailed technical description of the problem.
Alan DeKok.
More information about the Freeradius-Users
mailing list