mutual certificate authentication combined with 2nd factor inner authentication
Due to a limitation also described in 2006 by Matt Brown http://www.mattb.net.nz/blog/2006/09/22/requiring-client-certificates-fo r-eap-ttls-with-freeradius/ we are not able to use - mutual certificate authentication between the server and the client in EAP-TTLS - in combination with a second factor using inner authentication eg. EAP-OTP/MSCHAP etc... According to a suggestion by Matt Brown (link above) a slight change would correct this. Was this suggestion ever communicated to the freeradius project ? We also plan to use the described combination and would prefer, when that slight change could be integrated rather than doing a patch. Hartwig ve
Essen, Hartwig von wrote:
Due to a limitation also described in 2006 by Matt Brown http://www.mattb.net.nz/blog/2006/09/22/requiring-client-certificates-fo r-eap-ttls-with-freeradius/
I don't think that patch was necessary even at the time. That functionality was in the server over a year earlier.
we are not able to use - mutual certificate authentication between the server and the client in EAP-TTLS - in combination with a second factor using inner authentication eg. EAP-OTP/MSCHAP etc... According to a suggestion by Matt Brown (link above) a slight change would correct this.
Or, do: authorize { ... if (User-Name == "foo") { update control { EAP-TLS-Require-Client-Cert = Yes } } ... eap ... } Alan DeKok.
participants (2)
-
Alan DeKok -
Essen, Hartwig von