Help with advanced FreeRADIUS + MySQL setup using EAP-TLS
Ariel Garcia Reyes
ariel100cfg at gmail.com
Sun Jul 6 20:25:28 UTC 2025
On 7/5/2025 7:19 PM, Matthew Newton via Freeradius-Users wrote:
>
>
> On 04/07/2025 07:05, Ariel García Reyes wrote:
>> Currently, *EAP-TLS authentication is working* — if a user has a valid
>> certificate, they can connect successfully.
>
> OK that's good.
>
>> However, I want to ensure that *three specific conditions* are met
>> before
>> granting access:
>>
>> 1.
>> ✅ *The EAP-TLS certificate must be valid.*
>> 2.
>> ✅ *The user must exist in the database and be marked as active.*
>> 3.
>> ✅ *The device requesting access (by MAC address) must be
>> registered and
>> associated with that user.*
>>
>> A user may have multiple devices, but *all three conditions* must be
>> satisfied to allow access.
>>
>> Could anyone guide me on how to implement this kind of validation in
>> FreeRADIUS using MySQL?
>
> You'll need to put something together as this isn't covered by the
> default config, but it shouldn't be too hard.
>
> The 'user' with EAP-TLS is probably going to come from the client
> certificate, rather than the RADIUS User-Name attribute.
>
> Easiest way is likely to configure the check-eap-tls virtual server
> which will get the certificate information. In there you can make
> calls to SQL to check the specifics that you want and then accept or
> reject based on those.
>
> Either call the 'sql' module, or more likely due to your use case just
> use sql xlats to do the checks that you need. One SQL query should be
> able to cover both the latter two conditions (using the relevant TLS
> client certificate attribute(s) and Calling-Station-Id attribute), and
> validation of the certificate will happen automatically anyway.
>
Okay, thanks for the explanation.
I'm not very good at configuring FreeRadius.
Is there a manual or guide that can help me understand how it works?
What are the default modules or what can I do with them?
How do I create functions, how do I pass parameters to them, and how do
I get or return results?
More information about the Freeradius-Users
mailing list