RADIUS: EAP-TLS with LDAP Authorization?
-
I've set up FreeRADIUS with the plan that everyone will use EAP-TLS to authenticate with client certificates, which works fine. But I've also experimented with LDAP — configured an LDAP server and turned on Authorization. The question is whether I should expect this to do anything.
Naturally, "Validate the Client Certificate Common Name" has to be checked on the EAP tab, or the user could simply enter any username at all, but as long as it is, even if the primary way of de-authorizing a user authenticated by client certificate is revoking the certificate, there are reasons for looking up the user in LDAP: The same user could use the same certificate to authenticate to multiple services, but not be authorized to use all of them. And isn't the idea that you can pull a RADIUS profile from LDAP that you'd otherwise enter manually on the Users tab, even if LDAP isn't used for authentication?
However, although access is denied if FreeRADIUS fails to connect to the LDAP server, the search result seems not to matter at all; whether or not I enable the misc. configuration to set an Access Attribute, access is granted even if the username is invalid. Is this a bug (either in the configuration generated by pfSense or in FreeRADIUS) or is it not supposed to work?