On 13/06/2018 17.46, Christian Meutes wrote:
I'm currently in the process of evaluating Radiator for our Wifi environment. We are using EAP-TLS and want to use an additional check beside the standard certificate validation to grant users access. This check should be based on the value of the "CN="-attribute provided by the user certificate. It should be looked up in LDAP/AD so that we can also validate that the user is also existing there.
Start with goodies/eap_tls.cfg. This configuration sample uses AuthBy FILE which you need to change to AuthBy LDAP2.
You can get started by first enabling NoCheckId in this configuration file. This skips additional check from the users file.
The configure the EAP related parameters so that EAP-TLS works. When it does, change AuthBy FILE to AuthBy LDAP2, comment out NoCheckId and replace AuthBy FILE specific Filename configuration parameter with AuthBy LDAP2 configuration parameters. See goodies/ldap.cfg for a LDAP configuration sample.
Any hint how a configuration in combination with EAP-TLS could look like and how to make use of that attribute inside of the LDAP query would be highly appreciated.
When you have done the above changes, try authenticationg again with EAP-TLS. The log file should show how Radiator connects to LDAP and what kind of search it does and what it gets back from the LDAP server.
Please let us know how it goes, Heikki -- Heikki Vatiainen <[email protected]> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, TACACS+, PAM, Active Directory, EAP, TLS, TTLS, PEAP, WiMAX, RSA, Vasco, Yubikey, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, etc. _______________________________________________ radiator mailing list [email protected] http://lists.open.com.au/mailman/listinfo/radiator
