How to configure FreeRADIUS with EAP-TLS and group-based authorization?

radius freeradius eap

FreeRADIUS may not be processing the users file as it short-circuits the authorize section for most EAP packets.

You need to call the users file in the post-auth section using files.authorize, i.e.

Post-auth {
    files.authorize
}

User-Name can be set to anything and authorization will still succeed, so it's not good to use it when making policy decisions for EAP-TLS.

IIRC the certificate attributes get decoded and placed in the &session-state: list.

In which case you can do

Post-auth {
    update request {
        &request: += &session-state:[*]
    }
    files.authorize
}

Which should make all the attributes available for matching in the users file. It should also print out which attributes were available in the debug output near the end of processing the authentication attempt.

Related

What is a shared folder quota?
How to uninstall redis on Centos 8
nginx: [warn] conflicting server name
NGINX: Ignoring Certain URL Parameters for Cache Purposes
Building PHP on Mac OS X?
Use non default route as non privileged user
Firefox packaging to include addons for network installation
UFW + fail2ban not working with `nginx` to block attack scripts
How to properly configure access to kubernees dashboard behind nginx ingress
How do I do a case-insensitive mod_rewrite redirect to the same URL (mod case)?
openvpn restriction [duplicate]
Apache Request IP Based Security