'Re: FreeRadius EAP-TLS Auth using Email Address'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freeradius-users
Subject:    Re: FreeRadius EAP-TLS Auth using Email Address
From:       Matthew Newton via Freeradius-Users <freeradius-users () lists ! freeradius ! org>
Date:       2024-02-05 16:29:27
Message-ID: 3991ef10-e91e-4e21-a0b6-9b24873eb5fd () freeradius ! org
[Download RAW message or body]


On 05/02/2024 15:53, LOWES, Phil (LEICESTERSHIRE PARTNERSHIP NHS TRUST) 
via Freeradius-Users wrote:
> Our email addresses are different form our UPNs which why we need to convert the \
> email supplied

OK.

> in the EAP-TLS client cert.

I suspect you mean in the RADIUS request? If you're using EAP-TLS with a 
client cert then you very likely won't also be using ntlm_auth.

> This is what I found to convert the supplied email address into a usable AD \
> username:

Ouch, OK.

> The site I found then suggested inside the mschap-module to call the bash-script \
> instead of calling directly ntlm_auth:

More awful advice on the Internet :(

> ntlm_auth = "/usr/bin/mail_to_username %{mschap:User-Name:-None} \
> %{%{mschap:NT-Domain}:-EXAMPLE} %{mschap:Challenge:-00} %              \
> {mschap:NT-Response:-00}" 
> 
> Can Freeradius perform the LDAP search natively within the module and return the \
> username for the ntlm_auth command?

Yes, you can do all of this directly from within FreeRADIUS.

Configure the LDAP module (raddb/mods-enabled/ldap) - you will see in 
there the "update" section (not the same as unlang's update) where you 
can map LDAP attributes to RADIUS attributes.

So you will want something like

update {
   request:Tmp-String-1 := 'extensionAttribute15'
}

then assuming a good LDAP search the &Tmp-String-1 attribute will 
contain the value of the 'extensionAttribute15' LDAP attribute - which 
you can use in e.g. the ntlm_auth command, or preferably with the direct 
winbind configuration in mschap.

You will need to use the filters etc in the ldap module configuration to 
look up the correct entry. If you need to modify the attributes used in 
the lookup then use regular expressions or similar in unlang to 
transform the data before calling the ldap module.

-- 
Matthew
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic