(RADIATOR) EAP-TLS + LDAP
Hugh Irvine
hugh at open.com.au
Wed Oct 27 15:02:16 CDT 2004
Hello Tirpak -
I have been discussing your problem with Mike and unfortunately it does
not appear to be possible to do what you describe.
Mike is copied on this mail.
regards
Hugh
On 27 Oct 2004, at 19:38, Tirpak Miklos wrote:
> Hello Hugh,
>
> It did not solved my problem. The seach filter is (%0=%1) now. I
> captured the ldap query with ethereal, and I saw 2 query with
> different search filters:
> 1. uid=Miklos Tirpak
> 2. uid=DEFAULT
>
> You are right, %1 is the identity from the EAP message, which is
> Miklos Tirpak in my case, but I require the mail address, not the
> identity. When I look at the certificate with mmc on windows, I see
> that the mail is in the subject field: E=mtirpak at sztaki.hu.
>
> Thank you,
> Miklos
>
> On 10/27/04 09:53, Hugh Irvine wrote:
>> Hello Miklos -
>> I think you should try using the default SearchFilter which will
>> automatically use the Identity contained in the EAP-Message.
>> The default SearchFilter is:
>> SearchFilter (%0=%1)
>> See sections 6.36.15 and 23.4 in the Radiator 3.11 reference manual
>> ("doc/ref.html").
>> regards
>> Hugh
>> On 27 Oct 2004, at 00:08, Tirpak Miklos wrote:
>>> Hello Hugh,
>>>
>>> I send you the config file and the debug attached. The searchfilter
>>> in the ldap query is uid=Miklos Tirpak which is not correct, it
>>> should be mail=mtirpak at sztaki.hu. I should do the following
>>> somehow:
>>>
>>> 1. Get the realm from the eap request. For example, the user belongs
>>> to our domain, if the issuer of the certificate was NIIF CA
>>> 2. If the realm is not our, proxy the radius request toward.
>>> 3. If the realm is our check if the cerificate is correct
>>> 4. Look at the revocation list.
>>> 5. Search the user in LDAP based on his e-mail address
>>> 5a. If the user is in the database, pass the VLAN attributtes back
>>> to the switch in a radius accept
>>> 5b. If the user is not in the db, pass a default attrib to the
>>> switch in a radius accept (or the switch can use its own default
>>> setting)
>>>
>>> Is this the correct way of setting up EAP-TLS authentication with
>>> LDAP? How do others do it?
>>>
>>> Thank you,
>>> Miklos
>>>
>>> On 10/23/04 01:24, Hugh Irvine wrote:
>>>
>>>> Hello Miklos -
>>>> Could you please send me a copy of your configuration file (no
>>>> secrets) and a complete trace 4 debug showing what is happening
>>>> with what you have so far? I would like to see the contents of
>>>> the radius requests so I can make suggestions.
>>>> regards
>>>> Hugh
>>>> On 22 Oct 2004, at 18:54, Tirpak Miklos wrote:
>>>>
>>>>> Hello!
>>>>>
>>>>> I would like to use EAP-TLS as dot1x authentication, and get the
>>>>> vlan name from LDAP after the successfull authentication. The
>>>>> search filter has to contain the e-mail address of the user
>>>>> instead of the name, because the name is not unique in our
>>>>> database. The searchfilter for exapmle should be:
>>>>> uid=mtirpak at sztaki.hu
>>>>>
>>>>> The problem is, that the radius request does not contain the
>>>>> e-main address as an attributte, it contains only the user name:
>>>>> User-Name = "Miklos Tirpak". The e-mail address is in the eap
>>>>> message. Is there any way to make the search filter based on the
>>>>> e-mail address? Like %{some_attributte}, or with a script?
>>>>>
>>>>> The realm is also not included in the radius attributtes, so I
>>>>> have to get is from the eap message. This is the same problem as
>>>>> above.
>>>>>
>>>>> Thanks,
>>>>> Miklos
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>
NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list