Perform the following procedure:
- Install the server certificate and Trusted root certificate in SBR administrator.
- Under EAP methods in SBR administrator, enable EAP-TLS Helper and apply the changes.
- Edit EAP-TLS Helper, click the Secondary authorization tab, and enable secondary authorization.
- Under Convert username to, select subject CN or principal name.
If subject CN is selected, then in the certificate, which is presented to SBR for EAP-TLS, the subject attribute's CN value will be considered as the username for authorization.
If principal name is selected, then in the certificate, which is presented to SBR for EAP-TLS, the Subject Alternate Name attribute's CN value will be considered.
- Configure LDAP module to not require a password by editing the ldapauthaut file. In the [response] section, comment the %password field.
- Configure the filter under [Search/DoLdapSearch] to check for the Username and group membership. For example :
Filter=(&(CN=<User-Name>)(memberOf=Sales_group,OU=Radius,OU=Users,OU=Autoeuropa Structure,DC=psecurelab,DC=local))
- Under Order of Methods, move the LDAP auth method to the Active authentication method, select TLS as the Active EAP method, and apply the changes.
Note: If you configure the secondary authorization with no password, the selected authentication method must be capable of handling requests, which do not include passwords. The only authentication methods, which support this style of authentication and ship with Steel-Belted Radius are Native User, LDAP, and SQL. 
