(RADIATOR) EAP-TLS + LDAP

[Tirpak Miklos]

Hello Hugh,

It did not solved my problem. The seach filter is (%0=%1) now. I captured the ldap query with ethereal, and I saw 2 
query with different search filters:
1. uid=Miklos Tirpak
2. uid=DEFAULT

You are right, %1 is the identity from the EAP message, which is Miklos Tirpak in my case, but I require the mail 
address, not the identity. When I look at the certificate with mmc on windows, I see that the mail is in the subject 
field: E=mtirpak at sztaki.hu.

Thank you,
Miklos

On 10/27/04 09:53, Hugh Irvine wrote:
> 
> Hello Miklos -
> 
> I think you should try using the default SearchFilter which will  
> automatically use the Identity contained in the EAP-Message.
> 
> The default SearchFilter is:
> 
>     SearchFilter (%0=%1)
> 
> See sections 6.36.15 and 23.4 in the Radiator 3.11 reference manual  
> ("doc/ref.html").
> 
> regards
> 
> Hugh
> 
> 
> On 27 Oct 2004, at 00:08, Tirpak Miklos wrote:
> 
>> Hello Hugh,
>>
>> I send you the config file and the debug attached. The searchfilter 
>> in  the ldap query is uid=Miklos Tirpak which is not correct, it 
>> should be  mail=mtirpak at sztaki.hu. I should do the following somehow:
>>
>> 1. Get the realm from the eap request. For example, the user belongs  
>> to our domain, if the issuer of the certificate was NIIF CA
>> 2. If the realm is not our, proxy the radius request toward.
>> 3. If the realm is our check if the cerificate is correct
>> 4. Look at the revocation list.
>> 5. Search the user in LDAP based on his e-mail address
>> 5a. If the user is in the database, pass the VLAN attributtes back to  
>> the switch in a radius accept
>> 5b. If the user is not in the db, pass a default attrib to the switch  
>> in a radius accept (or the switch can use its own default setting)
>>
>> Is this the correct way of setting up EAP-TLS authentication with  
>> LDAP? How do others do it?
>>
>> Thank you,
>> Miklos
>>
>> On 10/23/04 01:24, Hugh Irvine wrote:
>>
>>> Hello Miklos -
>>> Could you please send me a copy of your configuration file (no  
>>> secrets)  and a complete trace 4 debug showing what is happening 
>>> with  what you  have so far? I would like to see the contents of the 
>>> radius  requests so  I can make suggestions.
>>> regards
>>> Hugh
>>> On 22 Oct 2004, at 18:54, Tirpak Miklos wrote:
>>>
>>>> Hello!
>>>>
>>>> I would like to use EAP-TLS as dot1x authentication, and get the  
>>>> vlan  name from LDAP after the successfull authentication. The  
>>>> search filter  has to contain the e-mail address of the user 
>>>> instead  of the name,  because the name is not unique in our 
>>>> database. The  searchfilter for  exapmle should be: 
>>>> uid=mtirpak at sztaki.hu
>>>>
>>>> The problem is, that the radius request does not contain the 
>>>> e-main   address as an attributte, it contains only the user name: 
>>>> User-Name  =  "Miklos Tirpak". The e-mail address is in the eap 
>>>> message. Is  there  any way to make the search filter based on the 
>>>> e-mail  address? Like  %{some_attributte}, or with a script?
>>>>
>>>> The realm is also not included in the radius attributtes, so I have  
>>>> to  get is from the eap message. This is the same problem as above.
>>>>
>>>> Thanks,
>>>> Miklos

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.