Can you use TLS and Request users authentication as well

Walter Reynolds waltr at
Tue Apr 18 15:56:43 CEST 2006


What I am trying to figure out is a way to not only have a certificate, 
but a secondary way to verify that that certificate is being used by a 
person we allow.  If we put cert onto a machine, we have authenticated 
that the cert was trusted.  The problem is coming from a university, we do 
not have a way to control a users machine.  So a user could take that 
certificate and put it onto a friends machine.  This friend may not be 
affiliated and should not have access.  So I would like to use the cert as 
machine authentication and then follow up with another (username/pass) 
using the KRB module.

Is this something that can be done?  Has anyone run into a similar problem 
and what did they do?  I know we could go TTLS and not have a machine 
cert, but then we get fears of man-in-the-middle.


-- Walter Reynolds
    University of Michigan

More information about the Freeradius-Users mailing list