Question / Best EAP concept to use for machine & user auth combined
Hey guys Are there any recommendations from this group on what type of EAP we should use / implement with FreeRADIUS 3.2 to achieve this: 1. authenticate the machine first with a flavor of EAP 2. authenticate the user with a flavor of EAP, BUT onlxy if the corresponding machine was successfullly authenticated first? Let's say we want to get sure, that only corporate devices with corporate users get on an SSID. I know there is the concept of TEAP and EAP chaining (I think of it as a Cisco proprietary protocol), but is there a best practice way to do this on FreeRADIUS for different kind of end devices (eg. Mixcrosoft, macOS, and so on)? Thanks in advance Dominic Gesendet von Outlook für iOS<https://aka.ms/o0ukef>
dominic.stalder@unibe.ch <dominic.stalder@unibe.ch> wrote:
I know there is the concept of TEAP and EAP chaining (I think of it as a Cisco proprietary protocol), but is there a best practice way to do this on FreeRADIUS for different kind of end devices (eg. Mixcrosoft, macOS, and so on)?
Nope. Not with the default supplicants supplied by commodity operating systems. Microsoft is supporting chained auth going forward, and wpa_supplicant must also by now, but it will be lobotomized by a configurator on Android, and nobody can tell Apple what to do so they never do anything useful.
Hi Brian Thanks for your informative answer; unfortunately, what I expected. I will try to find out, what the internal "customer" needs. Regards Dominic Am 17.09.24, 20:17 schrieb "Freeradius-Users im Auftrag von Brian Julin" <freeradius-users-bounces+dominic.stalder=unibe.ch@lists.freeradius.org <mailto:unibe.ch@lists.freeradius.org> im Auftrag von BJulin@clarku.edu <mailto:BJulin@clarku.edu>>: dominic.stalder@unibe.ch <mailto:dominic.stalder@unibe.ch> <dominic.stalder@unibe.ch <mailto:dominic.stalder@unibe.ch>> wrote:
I know there is the concept of TEAP and EAP chaining (I think of it as a Cisco proprietary protocol), but is there a best practice way to do this on FreeRADIUS for different kind of end devices (eg. Mixcrosoft, macOS, and so on)?
Nope. Not with the default supplicants supplied by commodity operating systems. Microsoft is supporting chained auth going forward, and wpa_supplicant must also by now, but it will be lobotomized by a configurator on Android, and nobody can tell Apple what to do so they never do anything useful. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>
participants (2)
-
Brian Julin -
dominic.stalder@unibe.ch