Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    RADIUS: EAP-TLS with LDAP Authorization?

    Scheduled Pinned Locked Moved General pfSense Questions
    1 Posts 1 Posters 560 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      millnet-maho
      last edited by

      I've set up FreeRADIUS with the plan that everyone will use EAP-TLS to authenticate with client certificates, which works fine. But I've also experimented with LDAP — configured an LDAP server and turned on Authorization. The question is whether I should expect this to do anything.

      Naturally, "Validate the Client Certificate Common Name" has to be checked on the EAP tab, or the user could simply enter any username at all, but as long as it is, even if the primary way of de-authorizing a user authenticated by client certificate is revoking the certificate, there are reasons for looking up the user in LDAP: The same user could use the same certificate to authenticate to multiple services, but not be authorized to use all of them. And isn't the idea that you can pull a RADIUS profile from LDAP that you'd otherwise enter manually on the Users tab, even if LDAP isn't used for authentication?

      However, although access is denied if FreeRADIUS fails to connect to the LDAP server, the search result seems not to matter at all; whether or not I enable the misc. configuration to set an Access Attribute, access is granted even if the username is invalid. Is this a bug (either in the configuration generated by pfSense or in FreeRADIUS) or is it not supposed to work?

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.