(RADIATOR) EAP-TLS + LDAP

Tirpak Miklos mtirpak at sztaki.hu
Tue Oct 26 09:08:45 CDT 2004


Hello Hugh,

I send you the config file and the debug attached. The searchfilter in the ldap query is uid=Miklos Tirpak which is not 
correct, it should be mail=mtirpak at sztaki.hu. I should do the following somehow:

1. Get the realm from the eap request. For example, the user belongs to our domain, if the issuer of the certificate was 
NIIF CA
2. If the realm is not our, proxy the radius request toward.
3. If the realm is our check if the cerificate is correct
4. Look at the revocation list.
5. Search the user in LDAP based on his e-mail address
5a. If the user is in the database, pass the VLAN attributtes back to the switch in a radius accept
5b. If the user is not in the db, pass a default attrib to the switch in a radius accept (or the switch can use its own 
default setting)

Is this the correct way of setting up EAP-TLS authentication with LDAP? How do others do it?

Thank you,
Miklos

On 10/23/04 01:24, Hugh Irvine wrote:
> 
> Hello Miklos -
> 
> Could you please send me a copy of your configuration file (no secrets)  
> and a complete trace 4 debug showing what is happening with what you  
> have so far? I would like to see the contents of the radius requests so  
> I can make suggestions.
> 
> regards
> 
> Hugh
> 
> 
> On 22 Oct 2004, at 18:54, Tirpak Miklos wrote:
> 
>> Hello!
>>
>> I would like to use EAP-TLS as dot1x authentication, and get the vlan  
>> name from LDAP after the successfull authentication. The search 
>> filter  has to contain the e-mail address of the user instead of the 
>> name,  because the name is not unique in our database. The 
>> searchfilter for  exapmle should be: uid=mtirpak at sztaki.hu
>>
>> The problem is, that the radius request does not contain the e-main  
>> address as an attributte, it contains only the user name: User-Name =  
>> "Miklos Tirpak". The e-mail address is in the eap message. Is there  
>> any way to make the search filter based on the e-mail address? Like  
>> %{some_attributte}, or with a script?
>>
>> The realm is also not included in the radius attributtes, so I have 
>> to  get is from the eap message. This is the same problem as above.
>>
>> Thanks,
>> Miklos
>>
>> --  
>> ----------------------------------------------------------------------- 
>> ----
>>   Miklos Tirpak
>>   Computer and Automation Research Institute   e-mail :  
>> mtirpak at sztaki.hu
>>   Hungarian Academy of Sciences                phone  : (361) 279-6011
>>   H-1132 Budapest, Victor Hugo u 18-22         fax    : (361) 279-6021
>>
>> -- 
>> Archive at http://www.open.com.au/archives/radiator/
>> Announcements on radiator-announce at open.com.au
>> To unsubscribe, email 'majordomo at open.com.au' with
>> 'unsubscribe radiator' in the body of the message.
>>
>>
> 
> NB: have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
> 


-- 
---------------------------------------------------------------------------
   Miklos Tirpak
   Computer and Automation Research Institute   e-mail : mtirpak at sztaki.hu
   Hungarian Academy of Sciences                phone  : (361) 279-6011
   H-1132 Budapest, Victor Hugo u 18-22         fax    : (361) 279-6021

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: radius.cfg
URL: <http://www.open.com.au/pipermail/radiator/attachments/20041026/a523d71c/attachment.ksh>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: eap_tls_ldap.log
Type: text/x-log
Size: 13267 bytes
Desc: not available
URL: <http://www.open.com.au/pipermail/radiator/attachments/20041026/a523d71c/attachment.bin>


More information about the radiator mailing list