how to turn on client certificate verification for PEAP?

Matthew Newton mcn4 at leicester.ac.uk
Thu Mar 19 12:03:13 CET 2015


On Wed, Mar 18, 2015 at 08:35:36PM -0400, Arran Cudbard-Bell wrote:
> > On 18 Mar 2015, at 12:16, Jim Shi <hanmao_shi at apple.com> wrote:
> > Actually we would like to  have PEAP + MSCHAP + client certificate validation,
> > 
> > Looks PEAP + MSCHAP is working, we just want to additional client certificate validation.
...
> 
> Apparently, according to the interwebs. I personally have never tested it.

I played around with this a long time ago when I was hacking on
the TLS code. I think it will be hard finding a supplicant that
actually supports it - it might be possible to configure
wpa-supplicant to send a client cert with PEAP.

Generally you have two options - client cert auth, or
username/password auth. Trying to do both together seems
practically impossible. (We wanted to for staff laptops to verify
both the machine and the user - in the end settled on EAP-TLS to
get onto the network, then user has to log into the domain, which
was about as good as we could get.)

Thanks,

Matthew


-- 
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>


More information about the Freeradius-Users mailing list