PEAP + EAP-TLS: client certificates
Ivan Kalik
tnt at kalik.net
Thu Oct 22 14:23:23 CEST 2009
> If I try to connect from a Windows client via a wireless AP "WIFIAP1" with
> Active Directory "user1" I see this in the log:
>
> Thu Oct 22 10:05:49 2009 : Auth: Login OK: [user1/<via Auth-Type = EAP>]
> (from client WIFIAP1 port 0 via TLS tunnel)
> Thu Oct 22 10:05:49 2009 : Auth: Login OK: [user1/<via Auth-Type = EAP>]
> (from client WIFIAP1 port 48 cli 001a73f7f0f7)
>
> Dumb question: does this mean the client used PEAP to connect? Can I
> deduce this from "Auth-Type = EAP" and from "via TLS tunnel"?
Can also be TTLS.
> If connected via PEAP, authentication is "secure". However, I'd like to
> know if the data exchanged between the clients and the rest of the LAN via
> the Access Point is also encrypted and "cannot be sniffed". Does this
> "data encryption" depend only on the AP's encryption settings (eg. AES)
> and does FreeRadius get out of this equation after authentication?
Radius has nothing to do with that.
> If I install a self-signed certificate on another Windows client and
> connect via EAP-TLS then I can connect without having to use an Active
> Directory user, as expected.
>
> I'm wondering if I can *require* both a certificate on the client machine
> AND an AD user authentication. In other words, how can I *require*
> PEAP-EAP-TLS? (currently, my freeradius configuration seems to require
> PEAP OR EAP-TLS)
>
> Freeradius version: 2.0.5
Don't know about that version. It should say how to require certificates
for peap in eap.conf above peap section. At least it does in the current
version. If it doesn't - it probably isn't supported, so upgrade.
Ivan Kalik
Kalik Informatika ISP
More information about the Freeradius-Users
mailing list