[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freeradius-users
Subject:    Re: FreeRadius EAP-TLS Auth using Email Address
From:       Alan DeKok <aland () deployingradius ! com>
Date:       2024-01-31 12:21:25
Message-ID: 2F4269FC-7949-4DBF-A8CA-A6B03365717C () deployingradius ! com
[Download RAW message or body]

On Jan 31, 2024, at 6:57 AM, LOWES, Phil (LEICESTERSHIRE PARTNERSHIP NHS TRUST) via \
Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
> 
> We have a requirement to authenticate devices to WIFI using the user's email \
> address stored in AD. The devices are enrolled into InTune and the only shared \
> piece of information is the email address. 
> How can I change FreeRadius to authenticate using the email address instead of the \
> username?

  That question is a bit confused.

  The server gets a User-Name attribute in an Access-Request.  That User-Name \
contains some value.  FreeRADIUS typically looks that value up in a database, and \
then gets a password back from that.

  FreeRADIUS then uses the password to authenticate the user.

> Do I need to perform some form of LDAPSearch using the email address to get the \
> username?

   Perhaps.  Or, you maybe you can modify the LDAP queries to find an account where \
the email address in the DB matches the User-Name.

  i.e. break the problem into discrete bits of information, and then connect them \
together.  Run small tests to verify what you can do.

  Can you look up the email address in LDAP, and get a user ID?  Or can you use the \
email address to get a matching password?

> Will this work with EAP authentication using SSL certs? The SSL certs are created \
> OnPrem and use the email address.

  If you're using EAP-TLS, then it doesn't use or check passwords.

  Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


[prev in list] [next in list] [prev in thread] [next in thread]