On Dec 26, 2015, at 12:45 PM, Lukas Haase <lukashaase@gmx.at> wrote:
This is not what I want anyway. Once again the intended setup:
1.) Client presents a certificate signed by the CA -> authentication should succeed ("machine authentication").
No. That is not "machine authentication". Machine authentication is where a Windows system uses credentials provisioned by Active Directory to do 802.1X. When that happens, the user does *not* provide any credentials.
(I thought this would best be done via EAP-TLS but not sure)
The TLS-based EAP methods are EAP-TLS, PEAP, and TTLS.
2.) If the client does NOT have a client certificate signed by the CA installed it should query for username/password ("user authentication") exactly as in my current setup. Authentication should succeed via PEAP-MSCHAPv2 if correct credentials are presented.
That's PEAP. Mostly. You can configure an end system to do 802.1X. It has a preferred EAP method, which it uses for authentication. i.e. it uses *one* EAP method. What you're talking about amounts to this: 1) some systems have client certificates. These systems are configured to do EAP-TLS. 2) some systems don't have client certificates. These systems are configured to do PEAP-MSCHAPv2. That's it. Alan DeKok.