how to turn on client certificate verification for PEAP?
mcn4 at leicester.ac.uk
Thu Mar 19 12:03:13 CET 2015
On Wed, Mar 18, 2015 at 08:35:36PM -0400, Arran Cudbard-Bell wrote:
> > On 18 Mar 2015, at 12:16, Jim Shi <hanmao_shi at apple.com> wrote:
> > Actually we would like to have PEAP + MSCHAP + client certificate validation,
> > Looks PEAP + MSCHAP is working, we just want to additional client certificate validation.
> Apparently, according to the interwebs. I personally have never tested it.
I played around with this a long time ago when I was hacking on
the TLS code. I think it will be hard finding a supplicant that
actually supports it - it might be possible to configure
wpa-supplicant to send a client cert with PEAP.
Generally you have two options - client cert auth, or
username/password auth. Trying to do both together seems
practically impossible. (We wanted to for staff laptops to verify
both the machine and the user - in the end settled on EAP-TLS to
get onto the network, then user has to log into the domain, which
was about as good as we could get.)
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>
Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
More information about the Freeradius-Users