PEAP and MSCHAPv2 with personal supplicant certificates
rrodrigues at mt4.com.br
Thu Sep 29 17:27:52 CEST 2016
Thank you both very much for your recommendations. I'm building a new lab
on CentOS 7 (for now) and I'm pretty optimistic on this.
*Renato Zipper *
2016-09-26 11:38 GMT-03:00 Matthew Newton <mcn4 at leicester.ac.uk>:
> On Mon, Sep 26, 2016 at 11:16:08AM -0300, Renato Rodrigues via
> Freeradius-Users wrote:
> > We have a mixed environment with Linux and Windows 7 client machines and
> > (and I believe I'll succeed soon). I believe I'm close to replicating
> > behavior over PEAP, which would add the MSCHAPv2 authentication after the
> > TLS validation, however this is not the full functionality that we
> The Windows supplicant refuses to send a client certificate with
> PEAP, so you can't do both at the same time.
> You might get it working with Linux and wpasupplicant.
> > What has been troublesome for me is this last step, to lock the AD
> > authentication to the same user declared on the certificate. It seems to
> > that the RADIUS server would be able to reject this kind of abuse, though
> > it might not be the way it is supposed to work.
> You could probably do this in the check-eap-tls virtual server in
> v3. But only if you got a client certificate.
> > right now is on a Debian server with freeradius 2.2.5, but we expect to
> > it in production on a pfSense firewall (I should confirm soon which
> Version 2 is obsolete. Don't use it for new deployments. Start
> with the latest version of 3.0.
> Matthew Newton, Ph.D. <mcn4 at leicester.ac.uk>
> Systems Specialist, Infrastructure Services,
> I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
> For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
More information about the Freeradius-Users