[RADIATOR] eap-tls with ldap check

Heikki Vatiainen hvn at open.com.au
Thu Jun 14 12:12:38 UTC 2018

On 13/06/2018 17.46, Christian Meutes wrote:

> I'm currently in the process of evaluating Radiator for our Wifi 
> environment. We are using EAP-TLS and want to use an additional check 
> beside the standard certificate validation to grant users access. This 
> check should be based on the value of the "CN="-attribute provided by 
> the user certificate. It should be looked up in LDAP/AD so that we can 
> also validate that the user is also existing there.

Start with goodies/eap_tls.cfg. This configuration sample uses AuthBy 
FILE which you need to change to AuthBy LDAP2.

You can get started by first enabling NoCheckId in this configuration 
file. This skips additional check from the users file.

The configure the EAP related parameters so that EAP-TLS works. When it 
does, change AuthBy FILE to AuthBy LDAP2, comment out NoCheckId and 
replace AuthBy FILE specific Filename configuration parameter with 
AuthBy LDAP2 configuration parameters. See goodies/ldap.cfg for a LDAP 
configuration sample.

> Any hint how a configuration in combination with EAP-TLS could look like 
> and how to make use of that attribute inside of the LDAP query would be 
> highly appreciated.

When you have done the above changes, try authenticationg again with 
EAP-TLS. The log file should show how Radiator connects to LDAP and what 
kind of search it does and what it gets back from the LDAP server.

Please let us know how it goes,

Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, TACACS+, PAM, Active Directory,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, etc.

More information about the radiator mailing list