FreeRadius EAP-TLS Auth using Email Address

Fri Feb 2 08:45:36 UTC 2024

Thanks Alan.

I've found a script that pulls the username from AD using the email address and then authenticates using the username.

It's certainly been a learning experience 😊


Phil Lowes

-----Original Message-----
From: Alan DeKok <aland at>
Sent: Wednesday, January 31, 2024 12:21 PM
To: FreeRadius users mailing list <freeradius-users at>
Subject: Re: FreeRadius EAP-TLS Auth using Email Address

[You don't often get email from aland at Learn why this is important at ]

This message originated from outside of NHSmail. Please do not click links or open attachments unless you recognise the sender and know the content is safe.

On Jan 31, 2024, at 6:57 AM, LOWES, Phil (LEICESTERSHIRE PARTNERSHIP NHS TRUST) via Freeradius-Users <freeradius-users at> wrote:
> We have a requirement to authenticate devices to WIFI using the user's email address stored in AD. The devices are enrolled into InTune and the only shared piece of information is the email address.
> How can I change FreeRadius to authenticate using the email address instead of the username?

  That question is a bit confused.

  The server gets a User-Name attribute in an Access-Request.  That User-Name contains some value.  FreeRADIUS typically looks that value up in a database, and then gets a password back from that.

  FreeRADIUS then uses the password to authenticate the user.

> Do I need to perform some form of LDAPSearch using the email address to get the username?

   Perhaps.  Or, you maybe you can modify the LDAP queries to find an account where the email address in the DB matches the User-Name.

  i.e. break the problem into discrete bits of information, and then connect them together.  Run small tests to verify what you can do.

  Can you look up the email address in LDAP, and get a user ID?  Or can you use the email address to get a matching password?

> Will this work with EAP authentication using SSL certs? The SSL certs are created OnPrem and use the email address.

  If you're using EAP-TLS, then it doesn't use or check passwords.

  Alan DeKok.

************************************************************************************** ******************************

This message may contain confidential information. If you are not the intended recipient please:
i) inform the sender that you have received the message in error before deleting it; and
ii) do not disclose, copy or distribute information in this e-mail or take any action in relation to its content (to do so is strictly prohibited and may be unlawful).
Thank you for your co-operation.

NHSmail is the secure email, collaboration and directory service available for all NHS staff in England. NHSmail is approved for exchanging patient data and other sensitive information with NHSmail and other accredited email services.

For more information and to find out how you can switch visit Joining NHSmail – NHSmail Support<>

More information about the Freeradius-Users mailing list