EAP-TLS with LDAP user attribute check
Alan DeKok
aland at deployingradius.com
Fri Jan 8 22:02:50 CET 2021
On Jan 7, 2021, at 8:22 PM, stray electron <strayedelectron at gmail.com> wrote:
> How can I check an LDAP group membership (or attribute) in an EAP-TLS setup?
Check it once, and cache the result. Or, check it in post-auth.
> I try to set up a Freeradius 3.0 where the client auth is done with EAP-TLS but also checks if the client is in the LDAP (and/or check some user attribute in the LDAP). If the client has a valid certificate but is not in the LDAP then he should be rejected.
It's simpler to just revoke the certificate. But whatever.
> Since the auth is already done by EAP-TLS certificates no user bind to the LDAP should be needed, besides I don't have the user password anyway. But I have an LDAP account configured for the Radius server so it can access the user data.
>
> So far EAP-TLS works fine, I suppose the 10-times repetition of the authorize part is due to the EAP messages exchanged with the client, or am I wrong?
It's because you made it do the LDAP checks in the "authorize" section, i.e. before the user is authenticated.
> Problem is though, that the LDAP search is done 10-times too for each client request. I think this would lead to a huge load of our LDAP server.
>
> I tried to put the ldap stanza into other places like post-auth, but then it tries to write to the LDAP, or in authenticate where the user password is required.
You can do:
post-auth {
...
ldap.authorize
...
}
And run the "authorize" method of the "ldap" module.
Alan DeKok.
More information about the Freeradius-Users
mailing list