Freeradius EAP-TLS and LDAP
Alan DeKok
aland at deployingradius.com
Thu Sep 5 22:56:27 UTC 2024
On Aug 29, 2024, at 11:08 AM, Lennart Johansson <Lennart.Johansson at b-iq.se> wrote:
>
> my fist question here, so bare with me
> The solution is perhaps simple, but I cant seem to figure it out
> I want to setup vpn authentication for users using Freeradius as Radius
> backend in vpn server
> User certificates are created using a Edirectory server that also is CA
> and ldap server
That should be fine. The general advice is to test each piece individually, and then combine the pieces later. If you try to debug 3-4 things at the same time, it's a lot more difficult.
> What do I have to do to configure Freeradius role in this, if I search
> for solutions online, most is related to AD and MS NPS.
> My understanding is that EAP-TLS requires that the vpn server pass the
> certificate request to Freeradius and Freeradius is verifying the
> certificate and reply with a accept or deny.
No, the VPN server is passing the entire TLS session to FreeRADIUS. See the debug output, there's a *lot* more TLS data being exchanged than just the certificate.
> But what is needed for Freeradius to verify the certificate, is it only
> that the CA certificate to verify that the certificate is issued by that
> CA or is it possible for Freeradius to pick the subject or SAN like
> email address and to a lookup in LDAP to get specific group or attribute
> back and based on that respond with accept or deny?
Normally EAP-TLS just verifies that the client cert is from a known CA, and that's fine.
You can also do additional LDAP checks, but I don't see why. If you don't want the client certificate to be used any more, then revoke it. If you want to check that the client certificate has the "right" fields, then just create it with the right fields.
Alan DeKok.
More information about the Freeradius-Users
mailing list