Freeradius authentication with SSL client certificates
Hi people, I wanto to implement a Freeradius authentication scheme, using server and client SSL certificates: every client that require WiFI access has to have a valid SSL certificate. I think I have to use: Authetication methos: EAP-TLS Authentication protocol with NTLM: MSCHAP or MSCHAPv2 My clients are Windows, Linux and maybe Android. Is my proposal correct ? Thanking in advance. Tommy
On Nov 26, 2018, at 3:06 PM, Tom Yard <tomyyard@gmail.com> wrote:
Hi people, I wanto to implement a Freeradius authentication scheme, using server and client SSL certificates: every client that require WiFI access has to have a valid SSL certificate.
I think I have to use:
Authetication methos: EAP-TLS Authentication protocol with NTLM: MSCHAP or MSCHAPv2
My clients are Windows, Linux and maybe Android.
Is my proposal correct ?
EAP-TLS can't carry and inner method, so not really. You can use EAP-TTLS with a client cert (so it behaves like EAP-TLS), and then run EAP-MSCHAPv2 as the inner method to do NTLM. -Arran
On Mon, 2018-11-26 at 12:06 -0300, Tom Yard wrote:
Hi people, I wanto to implement a Freeradius authentication scheme, using server and client SSL certificates: every client that require WiFI access has to have a valid SSL certificate.
If this is the _only_ requirement (i.e. that the client needs a cert to authenticate) then you just need EAP-TLS. -- Matthew
For wifi authentication, only two method are usable, 1. EAP-TTLS( an extension of EAP), which requires Certs installed on each terminal( PC, Andriod, etc). 2. EAP-mschapv2( sometimes called PEAP-MSCHAPV2). Both of them are running inner layer of EAP, an alias is PEAP. Correct me if I am wrong. On Tue, Nov 27, 2018 at 1:21 AM Matthew Newton <mcn@freeradius.org> wrote:
On Mon, 2018-11-26 at 12:06 -0300, Tom Yard wrote:
Hi people, I wanto to implement a Freeradius authentication scheme, using server and client SSL certificates: every client that require WiFI access has to have a valid SSL certificate.
If this is the _only_ requirement (i.e. that the client needs a cert to authenticate) then you just need EAP-TLS.
-- Matthew
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Nov 26, 2018, at 7:23 PM, luckydog xf <luckydogxf@gmail.com> wrote:
For wifi authentication, only two method are usable,
No.
1. EAP-TTLS( an extension of EAP), which requires Certs installed on each terminal( PC, Andriod, etc). 2. EAP-mschapv2( sometimes called PEAP-MSCHAPV2).
No. EAP-MSCHAPv2 is not PEAP. PEAP is an EAP method that uses TLS *and* EAP-MSCHAPv2.
Both of them are running inner layer of EAP, an alias is PEAP.
No.
Correct me if I am wrong.
Most of that was wrong. There is documentation on Wikipedia that describes EAP, and the various EAP methods. It should help clarify this. Alan DeKok.
participants (5)
-
Alan DeKok -
Arran Cudbard-Bell -
luckydog xf -
Matthew Newton -
Tom Yard