On Dec 24, 2015, at 9:01 PM, Lukas Haase <lukashaase@gmx.at> wrote:
For my private network I would like to use 802.1X (managed switch) and WPA2 Enterprise via freeradius. I want to allow (1) username/password login with LDAP backend without installing any software/certificates on the clients
That doesn't work. You need a CA cert installed on the laptops / end machines.
and (2) machine-level authentication by installing a simple certificate on the client.
Windows can do machine-level authentication, by automatically provisioning the certificates. For every other system, there is no "machine auth". There are only user accounts, and user credentials.
Both methods should work with as many clients (Windows, Android, iOS, ...) as possible.
See above. The system-specific limitations are very limiting.
I assume for (1) PEAP-MSCHAPv2 with LDAP is good. Got this working now.
You need to add / enable a CA for the 802.1X authentication. Disabling server certificate verification "works", for various insecure definitions of "works".
I assume for (2) EAP-TLS is good. Is this true so far?
You can't do both on the same machine in the same account.
Now I am confused regarding certificates.
For (1) I set the certificates in "tls" section of "eap" (since PEAP is based on TLS). Since I do not want to install any certificates on the clients, I would use a certificate officially signed by a CA trusted by the client (e.g. StartSSL, LetsEncrypt, VeriSign, ...).
That is not recommended. You should use a self-signed CA.
But what to choose an CN? Anything else to consider when creating the certificate?
Use the certificate creation scripts distributed with the server.
Now the problem for (2) is that I need an own CA. I would assume the configuration for EAP-TLS goes into the "tls" section under "eap" but as written above this is already taken by PEAP!
While you can put two CA certificates into the raddb/certs directory... you *can't* use two different 802.1X configurations for the same machine. Even on Windows.
Can't be so difficult ... how to implement this scenario appropriately?
It's impossible. You can only have one 802.1X configuration per end user account.
PS: I use freeradius 2.1.12 in Debian stable.
Ugh. Install 2.2.9. It's really not hard. Using a 5 year-old version of the server is depressing. Alan DeKok.