Help with advanced FreeRADIUS + MySQL setup using EAP-TLS
Matthew Newton
mcn at freeradius.org
Sat Jul 5 23:19:35 UTC 2025
On 04/07/2025 07:05, Ariel García Reyes wrote:
> Currently, *EAP-TLS authentication is working* — if a user has a valid
> certificate, they can connect successfully.
OK that's good.
> However, I want to ensure that *three specific conditions* are met before
> granting access:
>
> 1.
> ✅ *The EAP-TLS certificate must be valid.*
> 2.
> ✅ *The user must exist in the database and be marked as active.*
> 3.
> ✅ *The device requesting access (by MAC address) must be registered and
> associated with that user.*
>
> A user may have multiple devices, but *all three conditions* must be
> satisfied to allow access.
>
> Could anyone guide me on how to implement this kind of validation in
> FreeRADIUS using MySQL?
You'll need to put something together as this isn't covered by the
default config, but it shouldn't be too hard.
The 'user' with EAP-TLS is probably going to come from the client
certificate, rather than the RADIUS User-Name attribute.
Easiest way is likely to configure the check-eap-tls virtual server
which will get the certificate information. In there you can make calls
to SQL to check the specifics that you want and then accept or reject
based on those.
Either call the 'sql' module, or more likely due to your use case just
use sql xlats to do the checks that you need. One SQL query should be
able to cover both the latter two conditions (using the relevant TLS
client certificate attribute(s) and Calling-Station-Id attribute), and
validation of the certificate will happen automatically anyway.
--
Matthew
More information about the Freeradius-Users
mailing list