Microsoft PEAP-EAP-TLS support (certificate auth with SoH)?

Matthew Newton mcn4 at
Fri Jan 20 02:08:28 CET 2012


Does anyone know if FreeRADIUS now supports Microsoft
PEAP/EAP-TLS, i.e. when you select PEAP with Certificates in
Windows (not plain EAP-TLS, or PEAP/MS-CHAPv2, which both work
fine)? This post from 2007 (and FR 1.0.1) indicates that it didn't
work then, wondered if that's changed at all?

For the reasons in that e-mail, I similarly don't care about using
it for auth, as EAP-TLS works fine. However, from the SoH
documentation, it needs either PEAP or DHCP to work. I haven't
ruled out DHCP yet, but it seems a lot tidier to do it in RADIUS
if possible, which in turn just leaves PEAP.

The 'normal' PEAP with MS-CHAPv2 works fine giving the SoH
details, but has to be "user authentication" on the client.
EAP-TLS works fine presenting the certificate to connect to the
network (Microsoft's so-called "computer auth"), but doesn't, as
far as I can tell, do SoH.

Is it actually possible to do SoH with certificate-based
authentication, or do I have to look towards DHCP for this?

I'm using a very custom config at the moment (on the latest v2.1.x
branch), and having tried all sorts can't get it to play. I'll
probably try working from the default config later just in case
I've missed something blindingly obvious, but if anyone could
confirm if the above post is still true or there is no other way
to do it then it will save me a lot of time trying! :)



(Wishing Microsoft would bother to support a few additional
options in their built-in supplicant, rather than just the couple
of odd combinations that they want.)

Matthew Newton, Ph.D. <mcn4 at>

Systems Architect (UNIX and Networks), Network Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at>

More information about the Freeradius-Users mailing list