On 11 Sep 2016, at 09:42, Alan DeKok <aland@deployingradius.com> wrote:
On Sep 11, 2016, at 2:59 AM, stefan nowak <pionartest@gmail.com> wrote:
Is it possible to setup two factor authentication with use mschav2 and eap-tls?
That's called PEAP.
My concept is: first step is use eap-tls to check if user have valid certificate if yes then next should appear prompt with user and password(mschapv2) where check data from Active Directory server. User should get access only in case when all two steps will success .
Is it possible to do with freeradius 3.x?
For clarification, it is technically possible. Any Linux or Android device will be able to perform 2FA with the first factor being a client certificate and the second factor being a password or OTP token. Unfortunately Windows supplicants don't support it. We request a certificate in the TLS session setup, and Windows just gets confused (tried it before). -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2