FreeRadius EAP-TLS Auth using Email Address

[Alan DeKok]

On Jan 31, 2024, at 6:57 AM, LOWES, Phil (LEICESTERSHIRE PARTNERSHIP NHS TRUST) via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> 
> We have a requirement to authenticate devices to WIFI using the user's email address stored in AD. The devices are enrolled into InTune and the only shared piece of information is the email address.
> 
> How can I change FreeRadius to authenticate using the email address instead of the username?

  That question is a bit confused.

  The server gets a User-Name attribute in an Access-Request.  That User-Name contains some value.  FreeRADIUS typically looks that value up in a database, and then gets a password back from that.

  FreeRADIUS then uses the password to authenticate the user.

> Do I need to perform some form of LDAPSearch using the email address to get the username?

   Perhaps.  Or, you maybe you can modify the LDAP queries to find an account where the email address in the DB matches the User-Name.

  i.e. break the problem into discrete bits of information, and then connect them together.  Run small tests to verify what you can do.

  Can you look up the email address in LDAP, and get a user ID?  Or can you use the email address to get a matching password?

> Will this work with EAP authentication using SSL certs? The SSL certs are created OnPrem and use the email address.

  If you're using EAP-TLS, then it doesn't use or check passwords.

  Alan DeKok.