Thank you both very much for your recommendations. I'm building a new lab on CentOS 7 (for now) and I'm pretty optimistic on this. Att, *Renato Zipper * <http://www.mt4.com.br/> 2016-09-26 11:38 GMT-03:00 Matthew Newton <mcn4@leicester.ac.uk>:
On Mon, Sep 26, 2016 at 11:16:08AM -0300, Renato Rodrigues via Freeradius-Users wrote:
We have a mixed environment with Linux and Windows 7 client machines and I ... (and I believe I'll succeed soon). I believe I'm close to replicating this behavior over PEAP, which would add the MSCHAPv2 authentication after the TLS validation, however this is not the full functionality that we desire.
The Windows supplicant refuses to send a client certificate with PEAP, so you can't do both at the same time.
You might get it working with Linux and wpasupplicant.
What has been troublesome for me is this last step, to lock the AD authentication to the same user declared on the certificate. It seems to me that the RADIUS server would be able to reject this kind of abuse, though it might not be the way it is supposed to work.
You could probably do this in the check-eap-tls virtual server in v3. But only if you got a client certificate.
right now is on a Debian server with freeradius 2.2.5, but we expect to put it in production on a pfSense firewall (I should confirm soon which version
Version 2 is obsolete. Don't use it for new deployments. Start with the latest version of 3.0.
Matthew
-- Matthew Newton, Ph.D. <mcn4@leicester.ac.uk>
Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>