Can you use TLS and Request users authentication as well

alfonso.lazaro at eresmas.com alfonso.lazaro at eresmas.com
Thu Apr 27 13:45:15 CEST 2006


On Tue, Apr 18, 2006 at 01:07:10PM -0400, Alan DeKok wrote:


	i have a similar situation

	i want to use "two factor authentication"

	- one certificate (not exportable) installed by Office Automation Deparment
	- active directory login/passwd

	so if you do not have the certificate, you are not allowed to log in althought you know a valid AD login/pass
	and you are not allowed to log in only with a valid certificate, you must need a valid AD login/pass

	i have configured eap-peap and i have added the DEFAULT EAP-TLS-Require-Client-Cert := Yes in the users file
	but i do not know how to force windows 2000 and windows xp to send the client certificate during a peap authentication, maybe a regedit change ...

	i know that it is not a "radius" problem, but i would be very pleasant if someone can help me how to do it
	if i find the solution i will share it to the list members

	best regards

	alfonso


> Walter Reynolds <waltr at umich.edu> wrote:
> > What I am trying to figure out is a way to not only have a certificate, 
> > but a secondary way to verify that that certificate is being used by a 
> > person we allow.
> 
>   Passwords.
> 
> > Is this something that can be done?  Has anyone run into a similar problem 
> > and what did they do?  I know we could go TTLS and not have a machine 
> > cert, but then we get fears of man-in-the-middle.
> 
>   I would suggest a self-signed server cert, and a client certificate.
> You can use EAP-TLS-Require-Client-Cert to force a particular session
> to require a client cert.  This works for TTLS, too.
> 
>   The server will then verify that the client cert is signed by the
> cert it has, which should prevent man in the middle attacks.
> 
>   Alan DeKok.
> 
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



More information about the Freeradius-Users mailing list