FreeRadius EAP-TLS Auth using Email Address

Mon Feb 5 15:53:58 UTC 2024

Our email addresses are different form our UPNs which why we need to convert the email supplied in the EAP-TLS client cert.
This is what I found to convert the supplied email address into a usable AD username:

        #!/bin/bash
        MAIL=${1:11}
        NTDOMAIN=${2:9}
        CHALLENGE=${3:12}
        NTRESPONSE=${4:14}
        HOST="ldap://xxxxxxxxxxxxxx:3268"
        BASE_DN="DC=xxxxxxxxxxxxxx"
        ADUser="xxxxxxxxxxxxxxxxxxxxxxx"
        PASSWORD="xxxxxxxxxxxxxxxxxxxxxxxxxx"
        FILTER="mail=$MAIL"
        strUserName=`ldapsearch -LLL -x -D "$ADUser" -w "$PASSWORD" -b "$BASE_DN" -H "$HOST" "$FILTER" extensionAttribute15 | grep                      extensionAttribute15 | awk '{print $2}'`
        echo "$MAIL is $strUserName"
        /usr/bin/ntlm_auth --request-nt-key --username=$strUserName --domain=$NTDOMAIN --challenge=$CHALLENGE --nt-                                     response=$NTRESPONSE

The site I found then suggested inside the mschap-module to call the bash-script instead of calling directly ntlm_auth:

        ntlm_auth = "/usr/bin/mail_to_username %{mschap:User-Name:-None} %{%{mschap:NT-Domain}:-EXAMPLE} %{mschap:Challenge:-00} %              {mschap:NT-Response:-00}"

Can Freeradius perform the LDAP search natively within the module and return the username for the ntlm_auth command?

Regards,

Phil Lowes

-----Original Message-----
From: Freeradius-Users <freeradius-users-bounces+phil.lowes=nhs.net at lists.freeradius.org> On Behalf Of Marco Gaiarin
Sent: Friday, February 2, 2024 12:29 PM
To: LOWES, Phil (LEICESTERSHIRE PARTNERSHIP NHS TRUST) via Freeradius-Users <freeradius-users at lists.freeradius.org>
Cc: freeradius-users at lists.freeradius.org
Subject: Re: FreeRadius EAP-TLS Auth using Email Address

[You don't often get email from gaio at lilliput.linux.it. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ]

This message originated from outside of NHSmail. Please do not click links or open attachments unless you recognise the sender and know the content is safe.

Mandi! "LOWES,  Phil \(LEICESTERSHIRE PARTNERSHIP NHS TRUST\) via Freeradius-Users"
  In chel di` si favelave...

> How can I change FreeRadius to authenticate using the email address instead of the username?

I think is more a matter of winbind, than freeradius.

Winbind is able to authenticate using email? Typically, the email is also the UPN?

--
  We certainly would not want to have the same kind of democracy as they
  have in Iraq          (President Vladimir Putin, responding to U.S.
                         President George W. Bush's suggestion that Russia
                         should be more democratic, taken from NewsWeek)

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

************************************************************************************** ******************************

This message may contain confidential information. If you are not the intended recipient please:
i) inform the sender that you have received the message in error before deleting it; and
ii) do not disclose, copy or distribute information in this e-mail or take any action in relation to its content (to do so is strictly prohibited and may be unlawful).
Thank you for your co-operation.

NHSmail is the secure email, collaboration and directory service available for all NHS staff in England. NHSmail is approved for exchanging patient data and other sensitive information with NHSmail and other accredited email services.

For more information and to find out how you can switch visit Joining NHSmail – NHSmail Support<https://support.nhs.net/article-categories/joining-nhsmail/>