Help with advanced FreeRADIUS + MySQL setup using EAP-TLS

Ariel Garcia Reyes ariel100cfg at gmail.com
Sun Jul 6 20:25:28 UTC 2025 

On 7/5/2025 7:19 PM, Matthew Newton via Freeradius-Users wrote:
>
>
> On 04/07/2025 07:05, Ariel García Reyes wrote:
>> Currently, *EAP-TLS authentication is working* — if a user has a valid
>> certificate, they can connect successfully.
>
> OK that's good.
>
>> However, I want to ensure that *three specific conditions* are met 
>> before
>> granting access:
>>
>>     1.
>>     ✅ *The EAP-TLS certificate must be valid.*
>>     2.
>>     ✅ *The user must exist in the database and be marked as active.*
>>     3.
>>     ✅ *The device requesting access (by MAC address) must be 
>> registered and
>>     associated with that user.*
>>
>> A user may have multiple devices, but *all three conditions* must be
>> satisfied to allow access.
>>
>> Could anyone guide me on how to implement this kind of validation in
>> FreeRADIUS using MySQL?
>
> You'll need to put something together as this isn't covered by the 
> default config, but it shouldn't be too hard.
>
> The 'user' with EAP-TLS is probably going to come from the client 
> certificate, rather than the RADIUS User-Name attribute.
>
> Easiest way is likely to configure the check-eap-tls virtual server 
> which will get the certificate information. In there you can make 
> calls to SQL to check the specifics that you want and then accept or 
> reject based on those.
>
> Either call the 'sql' module, or more likely due to your use case just 
> use sql xlats to do the checks that you need. One SQL query should be 
> able to cover both the latter two conditions (using the relevant TLS 
> client certificate attribute(s) and Calling-Station-Id attribute), and 
> validation of the certificate will happen automatically anyway.
>
Okay, thanks for the explanation.

I'm not very good at configuring FreeRadius.

Is there a manual or guide that can help me understand how it works?

What are the default modules or what can I do with them?

How do I create functions, how do I pass parameters to them, and how do 
I get or return results?

More information about the Freeradius-Users mailing list