Reset Search
 

 

Article

KB24023 - [SBR] How to configure EAP-TLS to authenticate users and computers only if they belong to a specific Active Directory Domain Groups?

« Go Back

Information

 
Last Modified Date7/31/2015 5:43 PM
Synopsis
This article provides information on how to configure EAP-TLS to authenticate users and computers, only if they belong to a specific Active Directory domain group. This method ensures that the users and computers will not only be checked for the valid certificates, but also for their group membership in the Active Directory; prior to being granted access.

 
Problem or Goal
This configuration involves the configuration of TLS helper with LDAP, which is used for secondary authorization.
Cause
Solution
Perform the following procedure:
 
  1. Install the server certificate and Trusted root certificate in SBR administrator.
 
  • Under EAP methods in SBR administrator, enable EAP-TLS Helper and apply the changes.
 
  • Edit EAP-TLS Helper, click the Secondary authorization tab, and enable secondary authorization.
 
  • Under Convert username to, select subject CN or principal name.

    If subject CN is selected, then in the certificate, which is presented to SBR for EAP-TLS, the subject attribute's CN value will be considered as the username for authorization.

    If principal name is selected, then in the certificate, which is presented to SBR for EAP-TLS, the Subject Alternate Name attribute's CN value will be considered.
 
  • Configure LDAP module to not require a password by editing the ldapauthaut file. In the [response] section, comment the %password field.
 
  • Configure the filter under [Search/DoLdapSearch] to check for the Username and group membership. For example :
     
    Filter=(&(CN=<User-Name>)(memberOf=Sales_group,OU=Radius,OU=Users,OU=Autoeuropa Structure,DC=psecurelab,DC=local))
 
  • Restart the SBR service.
 
  • Under Order of Methods, move the LDAP auth method to the Active authentication method, select TLS as the Active EAP method, and apply the changes.
     


Note: If you configure the secondary authorization with no password, the selected authentication method must be capable of handling requests, which do not include passwords. The only authentication methods, which support this style of authentication and ship with Steel-Belted Radius are Native User, LDAP, and SQL.


 
Related Links
Attachment 1 
Created ByData Deployment

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255