I configured FreeRADIUS to use EAP-TLS for certificate based authentication (self-signed certificates). Authentication works fine, except that I'd like to add group-based authorization.
More specifically, I need to use the Class
attribute to be sent back to the NAS in the reply. This attribute will then be read and interpreted by the NAS as group membership information (e.g. Class
= myclass
).
Some background information: I use FreeRADIUS together with strongSwan; that's where the group membership info is interpreted.
I'm looking for a simple way to make FreeRADIUS aware of the groups. I tried to set the Class
attribute within the the configuration file for the rlm_files module (freeradius/3.0/mods_config/files/authorize
) which looked like this:
username
Reply-Message := "Hello, %{User-Name}",
Class := "myclass"
I left the first line empty because no "check item" is needed.
EAP-TLS authentication succeeds, however, the Class
attribute is not appended to the reply.
I am not even sure whether FreeRADIUS does process the user
(or authorize
) file after the EAP-TLS authentication is done. I doubt that though.
Is there a simple way to specify the Class
attribute based on the username (assuming there's multiple users and a few groups)?
Best Answer
FreeRADIUS may not be processing the users file as it short-circuits the authorize section for most EAP packets.
You need to call the users file in the post-auth section using
files.authorize
, i.e.User-Name
can be set to anything and authorization will still succeed, so it's not good to use it when making policy decisions for EAP-TLS.IIRC the certificate attributes get decoded and placed in the
&session-state:
list.In which case you can do
Which should make all the attributes available for matching in the users file. It should also print out which attributes were available in the debug output near the end of processing the authentication attempt.