FreeRadius EAP-TLS Auth using Email Address
Matthew Newton
mcn at freeradius.org
Mon Feb 5 16:29:27 UTC 2024
On 05/02/2024 15:53, LOWES, Phil (LEICESTERSHIRE PARTNERSHIP NHS TRUST)
via Freeradius-Users wrote:
> Our email addresses are different form our UPNs which why we need to convert the email supplied
OK.
> in the EAP-TLS client cert.
I suspect you mean in the RADIUS request? If you're using EAP-TLS with a
client cert then you very likely won't also be using ntlm_auth.
> This is what I found to convert the supplied email address into a usable AD username:
Ouch, OK.
> The site I found then suggested inside the mschap-module to call the bash-script instead of calling directly ntlm_auth:
More awful advice on the Internet :(
> ntlm_auth = "/usr/bin/mail_to_username %{mschap:User-Name:-None} %{%{mschap:NT-Domain}:-EXAMPLE} %{mschap:Challenge:-00} % {mschap:NT-Response:-00}"
>
>
> Can Freeradius perform the LDAP search natively within the module and return the username for the ntlm_auth command?
Yes, you can do all of this directly from within FreeRADIUS.
Configure the LDAP module (raddb/mods-enabled/ldap) - you will see in
there the "update" section (not the same as unlang's update) where you
can map LDAP attributes to RADIUS attributes.
So you will want something like
update {
request:Tmp-String-1 := 'extensionAttribute15'
}
then assuming a good LDAP search the &Tmp-String-1 attribute will
contain the value of the 'extensionAttribute15' LDAP attribute - which
you can use in e.g. the ntlm_auth command, or preferably with the direct
winbind configuration in mschap.
You will need to use the filters etc in the ldap module configuration to
look up the correct entry. If you need to modify the attributes used in
the lookup then use regular expressions or similar in unlang to
transform the data before calling the ldap module.
--
Matthew
More information about the Freeradius-Users
mailing list