That's with EAP-TLS as the inner to EAP-PEAP, which we know works. You don't have a second factor at that point though because the client cert is only via the inner. In the case that EAP-MS-CHAPv2 is the inner, you can't use a client cert. On Sat, Dec 26, 2015 at 10:20 PM, Alan DeKok <aland@deployingradius.com> wrote:
On Dec 26, 2015, at 5:02 PM, Matthew Newton <mcn4@leicester.ac.uk> wrote:
Has someone actually tried requiring a peer certificate and seeing what the Windows supplicant does?
Fails to authenticate as soon as you require a client cert. Tried a while ago; would have been quite nice.
You should be able to add a client cert on the Windows side, and still do PEAP.
Last I tried it worked. Tho that was probably 8 years ago...
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html