Hi all, I have just one question about client certificats with EAP-TTLS or EAP-PEAP. I would like use certificats client with authentication MSCHAPv2 it's possible ? It's possible to use client certificats for create TLS tunel and use mschapv2 auth inside ? In my test the authentication is MSCHAPv2 or client certificat but not both in same time . Thx. Vincent
On 15/12/11 14:29, Vincent Guardiola wrote:
Hi all,
I have just one question about client certificats with EAP-TTLS or EAP-PEAP.
I would like use certificats client with authentication MSCHAPv2 it's possible ?
Yes. This is documented in the "eap.conf": # You can make PEAP require a client cert by setting # # EAP-TLS-Require-Client-Cert = Yes # # in the control items for a request. In the *outer* tunnel, do this: authorize { ... update control { EAP-TLS-Require-Client-Cert = Yes } ... eap } I know it says EAP-TLS; ignore that. It will make the PEAP client send a client cert.
Humm yes, but with this i can use mschapv2 for authenticate or my authentification will be used by client certificat ? 2011/12/15 Phil Mayers <p.mayers@imperial.ac.uk>
On 15/12/11 14:29, Vincent Guardiola wrote:
Hi all,
I have just one question about client certificats with EAP-TTLS or EAP-PEAP.
I would like use certificats client with authentication MSCHAPv2 it's possible ?
Yes. This is documented in the "eap.conf":
# You can make PEAP require a client cert by setting # # EAP-TLS-Require-Client-Cert = Yes # # in the control items for a request.
In the *outer* tunnel, do this:
authorize { ... update control { EAP-TLS-Require-Client-Cert = Yes } ... eap }
I know it says EAP-TLS; ignore that. It will make the PEAP client send a client cert. - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html <http://www.freeradius.org/list/users.html>
Ok I will try this :), I don't use inner-tunnel file it's required or not ?, I just use file sites-enable/default 2011/12/15 Phil Mayers <p.mayers@imperial.ac.uk>
On 15/12/11 15:12, Vincent Guardiola wrote:
Humm yes, but with this i can use mschapv2 for authenticate or my
Yes.
authentification will be used by client certificat ?
No.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html <http://www.freeradius.org/list/users.html>
On 15/12/11 16:14, Vincent Guardiola wrote:
Ok I will try this :),
I don't use inner-tunnel file it's required or not ?, I just use file sites-enable/default
Not sure. Try it. I would always advise using inner-tunnel; it makes a lot of logical sense to have the PEAP inner processed separately.
Vincent Guardiola wrote:
Ok I will try this :),
I don't use inner-tunnel file it's required or not ?, I just use file sites-enable/default
Please read the documentation and examples that come with the server. It's MUCH nicer than asking questions which are already answered. Alan DeKok.
Hi, I've read documentation and not found responses for my problem. I wonder if I correctly explain my request I would like to use a cllient certificats and mschapV2 in the same authentification in PEAP or TTLS Use client certificats for create TLS tunel and after use mschapv2 for authenticate the user It's possible with freeradius or not ? Thx 2011/12/16 Alan DeKok <aland@deployingradius.com>
Vincent Guardiola wrote:
Ok I will try this :),
I don't use inner-tunnel file it's required or not ?, I just use file sites-enable/default
Please read the documentation and examples that come with the server. It's MUCH nicer than asking questions which are already answered.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Vincent Guardiola wrote:
I've read documentation and not found responses for my problem.
It is documented.
I wonder if I correctly explain my request
I would like to use a cllient certificats and mschapV2 in the same authentification in PEAP or TTLS Use client certificats for create TLS tunel and after use mschapv2 for authenticate the user It's possible with freeradius or not ?
Yes. Read eap.conf. This is documented. Alan DeKok.
Ok, I don't understand why my config doens"t work or maybe i've erroe on my client, this my conf : eap.conf eap { default_eap_type = peap timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 md5 { } leap { } gtc { auth_type = PAP } ..... ..... peap { default_eap_type = mschapv2 virtual_server = "inner-tunnel" use_tunneled_reply = no copy_request_to_tunnel = no } sites-enable/default authorize { preprocess update control { EAP-TLS-Require-Client-Cert = Yes } eap { ok = return } } authenticate { } Auth-Type MS-CHAP { mschap } eap } sites-enable/inner-tunel authorize { eap { ok = return } } authenticate { Auth-Type MS-CHAP { mschap } eap } Thx. 2011/12/20 Alan DeKok <aland@deployingradius.com>
Vincent Guardiola wrote:
I've read documentation and not found responses for my problem.
It is documented.
I wonder if I correctly explain my request
I would like to use a cllient certificats and mschapV2 in the same authentification in PEAP or TTLS Use client certificats for create TLS tunel and after use mschapv2 for authenticate the user It's possible with freeradius or not ?
Yes. Read eap.conf. This is documented.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Vincent Guardiola wrote:
Ok, I don't understand why my config doens"t work or maybe i've erroe on my client, this my conf :
You've butchered the configuration. Why? The default configuration works. Use it. Then, read the default eap.conf, which contains documentation describing how to use client certificates with TTLS and PEAP. Alan DeKok.
participants (3)
-
Alan DeKok -
Phil Mayers -
Vincent Guardiola