FreeRadius EAP-TLS Auth using Email Address

Matthew Newton mcn at
Mon Feb 5 16:29:27 UTC 2024

via Freeradius-Users wrote:
> Our email addresses are different form our UPNs which why we need to convert the email supplied


> in the EAP-TLS client cert.

I suspect you mean in the RADIUS request? If you're using EAP-TLS with a 
client cert then you very likely won't also be using ntlm_auth.

> This is what I found to convert the supplied email address into a usable AD username:

Ouch, OK.

> The site I found then suggested inside the mschap-module to call the bash-script instead of calling directly ntlm_auth:

More awful advice on the Internet :(

>          ntlm_auth = "/usr/bin/mail_to_username %{mschap:User-Name:-None} %{%{mschap:NT-Domain}:-EXAMPLE} %{mschap:Challenge:-00} %              {mschap:NT-Response:-00}"
> Can Freeradius perform the LDAP search natively within the module and return the username for the ntlm_auth command?

Yes, you can do all of this directly from within FreeRADIUS.

Configure the LDAP module (raddb/mods-enabled/ldap) - you will see in 
there the "update" section (not the same as unlang's update) where you 
can map LDAP attributes to RADIUS attributes.

So you will want something like

update {
   request:Tmp-String-1 := 'extensionAttribute15'

then assuming a good LDAP search the &Tmp-String-1 attribute will 
contain the value of the 'extensionAttribute15' LDAP attribute - which 
you can use in e.g. the ntlm_auth command, or preferably with the direct 
winbind configuration in mschap.

You will need to use the filters etc in the ldap module configuration to 
look up the correct entry. If you need to modify the attributes used in 
the lookup then use regular expressions or similar in unlang to 
transform the data before calling the ldap module.


More information about the Freeradius-Users mailing list