On Tue, Apr 18, 2006 at 01:07:10PM -0400, Alan DeKok wrote: i have a similar situation i want to use "two factor authentication" - one certificate (not exportable) installed by Office Automation Deparment - active directory login/passwd so if you do not have the certificate, you are not allowed to log in althought you know a valid AD login/pass and you are not allowed to log in only with a valid certificate, you must need a valid AD login/pass i have configured eap-peap and i have added the DEFAULT EAP-TLS-Require-Client-Cert := Yes in the users file but i do not know how to force windows 2000 and windows xp to send the client certificate during a peap authentication, maybe a regedit change ... i know that it is not a "radius" problem, but i would be very pleasant if someone can help me how to do it if i find the solution i will share it to the list members best regards alfonso
Walter Reynolds <waltr@umich.edu> wrote:
What I am trying to figure out is a way to not only have a certificate, but a secondary way to verify that that certificate is being used by a person we allow.
Passwords.
Is this something that can be done? Has anyone run into a similar problem and what did they do? I know we could go TTLS and not have a machine cert, but then we get fears of man-in-the-middle.
I would suggest a self-signed server cert, and a client certificate. You can use EAP-TLS-Require-Client-Cert to force a particular session to require a client cert. This works for TTLS, too.
The server will then verify that the client cert is signed by the cert it has, which should prevent man in the middle attacks.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html