On Wed, Mar 18, 2015 at 08:35:36PM -0400, Arran Cudbard-Bell wrote:
On 18 Mar 2015, at 12:16, Jim Shi <hanmao_shi@apple.com> wrote: Actually we would like to have PEAP + MSCHAP + client certificate validation,
Looks PEAP + MSCHAP is working, we just want to additional client certificate validation. ...
Apparently, according to the interwebs. I personally have never tested it.
I played around with this a long time ago when I was hacking on the TLS code. I think it will be hard finding a supplicant that actually supports it - it might be possible to configure wpa-supplicant to send a client cert with PEAP. Generally you have two options - client cert auth, or username/password auth. Trying to do both together seems practically impossible. (We wanted to for staff laptops to verify both the machine and the user - in the end settled on EAP-TLS to get onto the network, then user has to log into the domain, which was about as good as we could get.) Thanks, Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>