On Dec 26, 2015, at 1:03 PM, Lukas Haase <lukashaase@gmx.at> wrote:
I think parts of our conversation move towards a non-productive direction; probably because I am using different terminology (e.g. "machine authentication") due to my unfamiliarity with the topic.
The solution is to *not* use terminology you're unfamiliar with. Use simple terminology. Which helps to keep your questions clear. The alternative is to ask questions using the wrong terminology, which is unhelpful and confusing.
Before going ahead let me once again describe the setup I want:
1.) Client presents a certificate signed by the CA -> authentication should succeed ("machine authentication").
Stop calling it "machine authentication". Part of becoming familiar with the topic is that you *don't* use the wrong terminology. Get the idea of "machine authentication" out of your head. Just stop it. It's unhelpful, confusing, and wastes everyones time.
(I thought this would best be done via EAP-TLS but not sure)
I've explained this repeatedly. How can you be "not sure"? What part of my explanations are unclear?
2.) If the client does NOT have a client certificate signed by the CA installed it should query for username/password ("user authentication")
No. Stop using wrong terminology. It's unhelpful. Stop talking about "user authentication". There is nothing in EAP which distinguishes "user" from "machine" authentication. It's all just "authentication".
exactly as in my current setup. Authentication should succeed via PEAP-MSCHAPv2 if correct credentials are presented.
OK...
For (1) I do NOT want machine accounts in AD/Samba etc - just presenting the correct client certificate should be enough. This should work with Windows clients as well as Android clients.
Please read my messages. What I said is: What you're talking about amounts to this: 1) some systems have client certificates. These systems are configured to do EAP-TLS. 2) some systems don't have client certificates. These systems are configured to do PEAP-MSCHAPv2. That's it. Is there any part of those two choices which are unclear? Alan DeKok.