EAP-TLS + username/password
Hello,I currently have a freeradius setup where the client authenticates using username/password. My goal is to authenticate the user using a client certificate (using EAP-TLS), however, I would still like to maintain the username/password authentication. Preferably the flow would be something like this:1.User authenticates to radius_server_1 using EAP_TLS2.radius_server_1 after authenticating the client (and only if authentication is sucessful) forwards a request to radius_server_2 with the client username/password3.radius_server_2 authenticates clientSo only if both radius_server_1 and radius_server_2 authenticate the client is the client granted access.The flow doesn't necessarily need to be like the one above, I am open to suggestions, I'm not really sure what is possible and what isn't and would like to know my options.
João Alves wrote:
I currently have a freeradius setup where the client authenticates using username/password. My goal is to authenticate the user using a client certificate (using EAP-TLS),
Which doesn't use passwords.
however, I would still like to maintain the username/password authentication.
And is therefore impossible.
Preferably the flow would be something like this:
1.User authenticates to radius_server_1 using EAP_TLS 2.radius_server_1 after authenticating the client (and only if authentication is sucessful) forwards a request to radius_server_2 with the client username/password 3.radius_server_2 authenticates client
So only if both radius_server_1 and radius_server_2 authenticate the client is the client granted access.
What you're describing is EAP-TTLS with client certificates. That is possible. Alan DeKok.
participants (2)
-
Alan DeKok -
João Alves