PEAP + EAP-TLS: client certificates

Vieri rentorbuy at yahoo.com
Thu Oct 22 13:54:45 CEST 2009


Hi,

Sorry for the trivial questions but here I go:

I think I configured freeradius correctly for EAP-TLS and PEAP with ms-chap with authenticates using the ntlm_auth helper application.

If I try to connect from a Windows client via a wireless AP "WIFIAP1" with Active Directory "user1" I see this in the log:

Thu Oct 22 10:05:49 2009 : Auth: Login OK: [user1/<via Auth-Type = EAP>] (from client WIFIAP1 port 0 via TLS tunnel)
Thu Oct 22 10:05:49 2009 : Auth: Login OK: [user1/<via Auth-Type = EAP>] (from client WIFIAP1 port 48 cli 001a73f7f0f7)

Dumb question: does this mean the client used PEAP to connect? Can I deduce this from "Auth-Type = EAP" and from "via TLS tunnel"?

If connected via PEAP, authentication is "secure". However, I'd like to know if the data exchanged between the clients and the rest of the LAN via the Access Point is also encrypted and "cannot be sniffed". Does this "data encryption" depend only on the AP's encryption settings (eg. AES) and does FreeRadius get out of this equation after authentication?

If I install a self-signed certificate on another Windows client and connect via EAP-TLS then I can connect without having to use an Active Directory user, as expected.

I'm wondering if I can *require* both a certificate on the client machine AND an AD user authentication. In other words, how can I *require* PEAP-EAP-TLS? (currently, my freeradius configuration seems to require PEAP OR EAP-TLS)

Freeradius version: 2.0.5

Thanks,

Vieri



      



More information about the Freeradius-Users mailing list