Simultaneous EAP-TLS and PEAP-MSCHAPv2 (machine/user authentication)

Nick Lowe nick.lowe at gmail.com
Sat Dec 26 23:24:34 CET 2015


That's with EAP-TLS as the inner to EAP-PEAP, which we know works. You
don't have a second factor at that point though because the client cert is
only via the inner. In the case that EAP-MS-CHAPv2 is the inner, you can't
use a client cert.

On Sat, Dec 26, 2015 at 10:20 PM, Alan DeKok <aland at deployingradius.com>
wrote:

> On Dec 26, 2015, at 5:02 PM, Matthew Newton <mcn4 at leicester.ac.uk> wrote:
> >> Has someone actually tried requiring a peer certificate and
> >> seeing what the Windows supplicant does?
> >
> > Fails to authenticate as soon as you require a client cert.
> > Tried a while ago; would have been quite nice.
>
>   You should be able to add a client cert on the Windows side, and still
> do PEAP.
>
>   Last I tried it worked.  Tho that was probably 8 years ago...
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>


More information about the Freeradius-Users mailing list