two factor authentication mschapv2 and eat-tls
Hello, Is it possible to setup two factor authentication with use mschav2 and eap-tls? My concept is: first step is use eap-tls to check if user have valid certificate if yes then next should appear prompt with user and password(mschapv2) where check data from Active Directory server. User should get access only in case when all two steps will success . Is it possible to do with freeradius 3.x?
Fairly confident that is impossible. Ryan Turner Manager of Network Operations, ITS The University of North Carolina at Chapel Hill +1 919 274 7926 Mobile +1 919 445 0113 Office
On Sep 11, 2016, at 3:02 AM, stefan nowak <pionartest@gmail.com> wrote:
Hello,
Is it possible to setup two factor authentication with use mschav2 and eap-tls?
My concept is: first step is use eap-tls to check if user have valid certificate if yes then next should appear prompt with user and password(mschapv2) where check data from Active Directory server. User should get access only in case when all two steps will success .
Is it possible to do with freeradius 3.x? - List info/subscribe/unsubscribe? See https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fwww.freeradi...
On Sep 11, 2016, at 2:59 AM, stefan nowak <pionartest@gmail.com> wrote:
Is it possible to setup two factor authentication with use mschav2 and eap-tls?
That's called PEAP.
My concept is: first step is use eap-tls to check if user have valid certificate if yes then next should appear prompt with user and password(mschapv2) where check data from Active Directory server. User should get access only in case when all two steps will success .
Is it possible to do with freeradius 3.x?
Is it possible with Windows? No? Then it's impossible. Even if it was possible with FreeRADIUS, nothing else in the network will support this authentication mechanism. Alan DeKok.
On 11 Sep 2016, at 09:42, Alan DeKok <aland@deployingradius.com> wrote:
On Sep 11, 2016, at 2:59 AM, stefan nowak <pionartest@gmail.com> wrote:
Is it possible to setup two factor authentication with use mschav2 and eap-tls?
That's called PEAP.
My concept is: first step is use eap-tls to check if user have valid certificate if yes then next should appear prompt with user and password(mschapv2) where check data from Active Directory server. User should get access only in case when all two steps will success .
Is it possible to do with freeradius 3.x?
For clarification, it is technically possible. Any Linux or Android device will be able to perform 2FA with the first factor being a client certificate and the second factor being a password or OTP token. Unfortunately Windows supplicants don't support it. We request a certificate in the TLS session setup, and Windows just gets confused (tried it before). -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
participants (4)
-
Alan DeKok -
Arran Cudbard-Bell -
stefan nowak -
Turner, Ryan H