On Sep 26, 2016, at 10:16 AM, Renato Rodrigues via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
We have a mixed environment with Linux and Windows 7 client machines and I have successfully configured freeradius to authenticate to our AD server, through both PEAP and EAP-TLS. Over EAP-TLS the client certificate is being verified against the CA and on the CN against the declared EAP username. I am still working on encrypting the client certificate with personal passwords on each supplicant machine (and I believe I'll succeed soon). I believe I'm close to replicating this behavior over PEAP, which would add the MSCHAPv2 authentication after the TLS validation, however this is not the full functionality that we desire.
Windows will not do PEAP with client certificates and MS-CHAPv2.
The idea is to have individual certificates for each user, encrypted with a personal password. The certificates being signed by the server CA with usernames as CNs, which we are already able to check thanks to the great templates available, and as the second step we'd like to have the user authenticated (under the encrypted TLS connection) with MSCHAP against our Active Directory. The current challenge is to lock the tunneled authentication to the same username of the certificate step.
You can check the inner-tunnel User-Name against the outer user-name, and against the outer certificate identity. See TLS-Cert-Subject-Alt-Name-Email in raddb/sites-available/default.
What has been troublesome for me is this last step, to lock the AD authentication to the same user declared on the certificate. It seems to me that the RADIUS server would be able to reject this kind of abuse, though it might not be the way it is supposed to work. I couldn't find the right documentation on how to do it, so anything close to it can help me. Our lab right now is on a Debian server with freeradius 2.2.5,
Upgrade to version 3. It will be a LOT easier to configure. I have no idea why Debian insists on shipping versions of FreeRADIUS that are *years* out of date. Alan DeKok.