[prev in list] [next in list] [prev in thread] [next in thread]
List: freeradius-users
Subject: Re: FreeRadius EAP-TLS Auth using Email Address
From: Matthew Newton via Freeradius-Users <freeradius-users () lists ! freeradius ! org>
Date: 2024-02-05 16:29:27
Message-ID: 3991ef10-e91e-4e21-a0b6-9b24873eb5fd () freeradius ! org
[Download RAW message or body]
On 05/02/2024 15:53, LOWES, Phil (LEICESTERSHIRE PARTNERSHIP NHS TRUST)
via Freeradius-Users wrote:
> Our email addresses are different form our UPNs which why we need to convert the \
> email supplied
OK.
> in the EAP-TLS client cert.
I suspect you mean in the RADIUS request? If you're using EAP-TLS with a
client cert then you very likely won't also be using ntlm_auth.
> This is what I found to convert the supplied email address into a usable AD \
> username:
Ouch, OK.
> The site I found then suggested inside the mschap-module to call the bash-script \
> instead of calling directly ntlm_auth:
More awful advice on the Internet :(
> ntlm_auth = "/usr/bin/mail_to_username %{mschap:User-Name:-None} \
> %{%{mschap:NT-Domain}:-EXAMPLE} %{mschap:Challenge:-00} % \
> {mschap:NT-Response:-00}"
>
> Can Freeradius perform the LDAP search natively within the module and return the \
> username for the ntlm_auth command?
Yes, you can do all of this directly from within FreeRADIUS.
Configure the LDAP module (raddb/mods-enabled/ldap) - you will see in
there the "update" section (not the same as unlang's update) where you
can map LDAP attributes to RADIUS attributes.
So you will want something like
update {
request:Tmp-String-1 := 'extensionAttribute15'
}
then assuming a good LDAP search the &Tmp-String-1 attribute will
contain the value of the 'extensionAttribute15' LDAP attribute - which
you can use in e.g. the ntlm_auth command, or preferably with the direct
winbind configuration in mschap.
You will need to use the filters etc in the ldap module configuration to
look up the correct entry. If you need to modify the attributes used in
the lookup then use regular expressions or similar in unlang to
transform the data before calling the ldap module.
--
Matthew
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic