1

I am trying to setup EAP-TLS with FreeRADIUS and an IPA backend. I understand that a typical workflow is to authorize the user against LDAP first and then to authenticate the user using a certificate.

Is this workflow typical or correct?

I also understand how to configure the EAP for client OCSP certificate validation and the LDAP module with parameters relevant to the IPA directory structure, etc.

This question has to do with the workflow described above and how to configure the default and inner-tunnel sites. The default site has sections for authorization and authentication, respectively. However, I understand that EAP-TLS by definition requires certificate-based authentication to occur within the inner-tunnel.

Which of the following is the correct setup:

  1. Ignore inner-tunnel and configure the default site for authorization/authentication (LDAP / EAP, respectively).

or

  1. Configure default site for LDAP under authorization, leaving authentication blank, and configure inner-tunnel for authentication, leaving authorization blank there.

I'm trying to implement best practices here, so if either will work, is there an issue or security risk that I don't appreciate here?

user3814483
  • 183
  • 9
  • if you want to run EAP-TLS - you need a client certificate. LDAP can contain client certificates so some RADIUS/EAP servers can do certificates binary comparison (like Cisco Secure ISE) ā€“ Oleg Feb 16 '19 at 11:30
  • Thanks, Iā€™m aware of that, and I already have them setup using IPA. The question has more to do with the Freeradius configuration of sites (I know how to configure the EAP module). ā€“ user3814483 Feb 16 '19 at 14:01

0 Answers0