How to configure FreeRADIUS with EAP-TLS and group-based authorization?
FreeRADIUS may not be processing the users file as it short-circuits the authorize section for most EAP packets.
You need to call the users file in the post-auth section using files.authorize
, i.e.
Post-auth {
files.authorize
}
User-Name
can be set to anything and authorization will still succeed, so it's not good to use it when making policy decisions for EAP-TLS.
IIRC the certificate attributes get decoded and placed in the &session-state:
list.
In which case you can do
Post-auth {
update request {
&request: += &session-state:[*]
}
files.authorize
}
Which should make all the attributes available for matching in the users file. It should also print out which attributes were available in the debug output near the end of processing the authentication attempt.