Simultaneous EAP-TLS and PEAP-MSCHAPv2 (machine/user authentication)

Alan DeKok aland at deployingradius.com
Mon Dec 28 21:25:33 CET 2015


On Dec 28, 2015, at 9:51 AM, Ben Humpert <ben at an3k.de> wrote:
> It isn't wrong terminology.

  He was using the term "machine authentication" to refer to a network which didn't have Active Directory, and which had non-Windows machines.  This was wrong.

> One actually could use two certificates, one for the machine (is the
> machine allowed to access the network? If yes into which VLAN should we put
> it?) and one for the user (is the user allowed to access the network?).

  No.  Once a system is on the network, it's on the network.

> Using both you could do machine auth first and get the machine put into
> VLAN 1 to get DHCP stuff and access to eg. Active directory (which is
> required for user auth).

  i.e. 802.1X with EAP-TLS, and auto-provisioned credentials via Active Directory.

> Then you can do user auth and put the machine into
> the VLAN the user actually belongs to.

  No.  Once a system is on the network, it's on the network.

  You're probably referring to "user authentication" as "user authenticates to Active Directory".  This has nothing to do with 802.1X.  It uses TCP/IP and proprietary Microsoft protocols.

  It is possible for the system to drop it's network connection, and then re-authenticate via 802.1X, and the user's credentials.

  Alan DeKok.




More information about the Freeradius-Users mailing list