FreeRadius EAP-TLS Auth using Email Address

Alan DeKok aland at
Fri Feb 2 12:15:18 UTC 2024

On Feb 2, 2024, at 6:51 AM, Matthew Newton via Freeradius-Users <freeradius-users at> wrote:
> On 02/02/2024 08:45, LOWES, Phil (LEICESTERSHIRE PARTNERSHIP NHS TRUST) via Freeradius-Users wrote:
>> I've found a script that pulls the username from AD using the email address and then authenticates using the username.
> Just note that if you mean running an external script (e.g. shell, perl, etc) then performance will really suffer.


  The phrase "I found a script" sounds a lot like "I found a magic incantation".  But computers aren't magic.

  The script just does LDAP lookups.  FreeRADIUS can also do LDAP lookups.  So why not *understand* what the script does, and re-implement it in FreeRADIUS?

  It should be about 5-10 lines of "unlang", and it will be about 100x faster than a script.

  An even more important benefit is that you will understand what it does, and why it works.  That way if anything goes wrong, you can figure it out, instead of looking for another magic incantation to fix it.

  Alan DeKok.

More information about the Freeradius-Users mailing list