Two factor authentication
hi i am trying to configure freeradius to authenticate wireless users. i would like to use a two-factor authentication. - all pcs that want to connect to the wireless network need a certificate signed by CA - users must authenticate with their user/pass active directory i am not sure how to do it rasdius.conf authorize { eap } authenticate { Auth-Type MS-CHAP { mschap } } eap.conf tls { private_key_password = password private_key_file = /cert/cert-srv.pem CA_file = /CA/ca-cert.pem dh_file= /dev/urandom } best regards alfonso
alfonso.lazaro@eresmas.com wrote:
i would like to use a two-factor authentication. - all pcs that want to connect to the wireless network need a certificate signed by CA - users must authenticate with their user/pass active directory
I don't think that will work. From what I understand of Microsoft's Windows implementation, the machine accounts must use the same authentication method as user login. So you can use PEAP for both, but not EAP-TLS for one, and PEAP for the other.
i am not sure how to do it
Most of the configuration is on the Windows box, not on FreeRADIUS. Get PEAP set up and configure the Windows box to use PEAP. It should then work. Alan DeKok.
Alan DeKok wrote:
alfonso.lazaro@eresmas.com wrote:
i would like to use a two-factor authentication. - all pcs that want to connect to the wireless network need a certificate signed by CA - users must authenticate with their user/pass active directory
I don't think that will work. From what I understand of Microsoft's Windows implementation, the machine accounts must use the same authentication method as user login. So you can use PEAP for both, but not EAP-TLS for one, and PEAP for the other.
i am not sure how to do it
Most of the configuration is on the Windows box, not on FreeRADIUS.
Get PEAP set up and configure the Windows box to use PEAP. It should then work.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I think that what alfonso need is to use both authentication in order to be authenticated. That is to say to have EAP_TLS to open the connection and then to enter login and password for AD or something like that... JF SURET
On Mon, Mar 27, 2006 at 10:01:56PM +0200, jf wrote: i need both authentication, i need the certificate and wrong user/pass yesterday i was reading several mails from this list and i think i found some answer to my question i am going to try to use peap over tls authentication and i am going to force client certificate authentication radius.cfg DEFAULT EAP-TLS-Require-Client-Cert:=Yes i will send you my experience alfonso
alfonso.lazaro@eresmas.com wrote:
i would like to use a two-factor authentication. - all pcs that want to connect to the wireless network need a certificate signed by CA - users must authenticate with their user/pass active directory
I don't think that will work. From what I understand of Microsoft's Windows implementation, the machine accounts must use the same authentication method as user login. So you can use PEAP for both, but not EAP-TLS for one, and PEAP for the other.
i am not sure how to do it
Most of the configuration is on the Windows box, not on FreeRADIUS.
Get PEAP set up and configure the Windows box to use PEAP. It should then work.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I think that what alfonso need is to use both authentication in order to be authenticated.
That is to say to have EAP_TLS to open the connection and then to enter login and password for AD or something like that...
JF SURET - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (3)
-
Alan DeKok -
alfonso.lazaro@eresmas.com -
jf