Help with advanced FreeRADIUS + MySQL setup using EAP-TLS

Matthew Newton mcn at freeradius.org
Sat Jul 5 23:19:35 UTC 2025



On 04/07/2025 07:05, Ariel García Reyes wrote:
> Currently, *EAP-TLS authentication is working* — if a user has a valid
> certificate, they can connect successfully.

OK that's good.

> However, I want to ensure that *three specific conditions* are met before
> granting access:
> 
>     1.
>     ✅ *The EAP-TLS certificate must be valid.*
>     2.
>     ✅ *The user must exist in the database and be marked as active.*
>     3.
>     ✅ *The device requesting access (by MAC address) must be registered and
>     associated with that user.*
> 
> A user may have multiple devices, but *all three conditions* must be
> satisfied to allow access.
> 
> Could anyone guide me on how to implement this kind of validation in
> FreeRADIUS using MySQL?

You'll need to put something together as this isn't covered by the 
default config, but it shouldn't be too hard.

The 'user' with EAP-TLS is probably going to come from the client 
certificate, rather than the RADIUS User-Name attribute.

Easiest way is likely to configure the check-eap-tls virtual server 
which will get the certificate information. In there you can make calls 
to SQL to check the specifics that you want and then accept or reject 
based on those.

Either call the 'sql' module, or more likely due to your use case just 
use sql xlats to do the checks that you need. One SQL query should be 
able to cover both the latter two conditions (using the relevant TLS 
client certificate attribute(s) and Calling-Station-Id attribute), and 
validation of the certificate will happen automatically anyway.

-- 
Matthew



More information about the Freeradius-Users mailing list