Authenticate with both Certificate and password
Hello, I have a freeradius server running for several realms and this works all very nice. I can do both user-name / password authentication from the users file. I can do user-name / password authentication with MS-Chapv2 from OpenLDAP. I can do certificate based authentication with a certificate signed by the same CA and the radius servers. But now I want to have something special in one realm, in this one realm I want to do a combination for certificate authentication and MsChapv2 authentication. This to make sure the user has a valid certificate and also knows a valid user-name / password. Is this possible to configure in FreeRadius? Is this possible in the variety of of WPA-Supplicants used (Apple, Linux and Windows) Is it possible to do this in just one realm? If this is possible, could someone point me to some documentations that describes this setup? Thanks a lot, Jan Hugo Prins
On Jun 6, 2016, at 8:52 AM, jan hugo prins <jhp@jhprins.org> wrote:
But now I want to have something special in one realm, in this one realm I want to do a combination for certificate authentication and MsChapv2 authentication. This to make sure the user has a valid certificate and also knows a valid user-name / password.
Is this possible to configure in FreeRadius?
Yes. But you also need to configure it on the client. Give the client a certificate. Configure the client to do TTLS. It will work. It *won't* work on older versions of Windows. This is because they don't do TTLS. They only do PEAP, and they disallow client certificates for PEAP.
Is this possible in the variety of of WPA-Supplicants used (Apple, Linux and Windows) Is it possible to do this in just one realm?
If this is possible, could someone point me to some documentations that describes this setup?
You've already got 99% of it working. Just configure the client, and it will work. Alan DeKok.
Hi,
But now I want to have something special in one realm, in this one realm I want to do a combination for certificate authentication and MsChapv2 authentication. This to make sure the user has a valid certificate and also knows a valid user-name / password.
Is this possible to configure in FreeRadius? Yes. But you also need to configure it on the client.
Give the client a certificate. Configure the client to do TTLS. It will work.
It *won't* work on older versions of Windows. This is because they don't do TTLS. They only do PEAP, and they disallow client certificates for PEAP. I have een looking on my Linux workstation and so far I only found the option to put certificates in the TLS config, and in the TLS config I can't include username / password credentials. I'm going to try what happens if I modify the config files manually to include certificates besides Username / Password credentials.
Is this possible in the variety of of WPA-Supplicants used (Apple, Linux and Windows) Is it possible to do this in just one realm?
If this is possible, could someone point me to some documentations that describes this setup? You've already got 99% of it working. Just configure the client, and it will work.
Ok, that sounds really good, but then my second question: How do I force the client to use this kind of authentication. Because a the moment both Cert and username / password work, so no one is forcing to client to do both. Server-side, I have to make sure that arriving with just one of the 2 methods is not enough. Jan Hugo
On Jun 8, 2016, at 6:16 AM, jan hugo prins <jhp@jhprins.org> wrote:
Ok, that sounds really good, but then my second question: How do I force the client to use this kind of authentication.
See the client documentation. There are literally hundreds of possible clients, each of which has hundreds of possible versions. We just can't know everything about all of them. Alan DeKok.
What I mean is, how do I force it on the Radius server that you can only authenticate using a combination of both certificate and username / password. I understand that the client configuration is out of the scope of this mailinglist. Jan Hugo Prins On 06/08/2016 04:16 PM, Alan DeKok wrote:
On Jun 8, 2016, at 6:16 AM, jan hugo prins <jhp@jhprins.org> wrote:
Ok, that sounds really good, but then my second question: How do I force the client to use this kind of authentication. See the client documentation. There are literally hundreds of possible clients, each of which has hundreds of possible versions. We just can't know everything about all of them.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Jun 9, 2016, at 8:03 AM, jan hugo prins <jhp@jhprins.org> wrote:
What I mean is, how do I force it on the Radius server that you can only authenticate using a combination of both certificate and username / password.
You deny EAP-TLS, which is the only EAP method with certificates, but no password. if ((User-Name == "bob") && (EAP-Type == EAP-TLS)) { reject }
Hi,
What I mean is, how do I force it on the Radius server that you can only authenticate using a combination of both certificate and username / password. I understand that the client configuration is out of the scope of this mailinglist.
with great difficulty..... you have to ensure that you deny any other methods... as a RADIUS server cannot force a client to do anything...the client decides what its going to do..and if it tries plain PEAP and you allow that then it will work. alan
participants (3)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
jan hugo prins