Simultaneous EAP-TLS and PEAP-MSCHAPv2 (machine/user authentication)

Lukas Haase lukashaase at gmx.at
Fri Dec 25 03:01:54 CET 2015


Hi,

For my private network I would like to use 802.1X (managed switch) and
WPA2 Enterprise via freeradius. I want to allow (1) username/password
login with LDAP backend without installing any software/certificates on
the clients and (2) machine-level authentication by installing a simple
certificate on the client. Both methods should work with as many clients
(Windows, Android, iOS, ...) as possible.

I assume for (1) PEAP-MSCHAPv2 with LDAP is good. Got this working now.
I assume for (2) EAP-TLS is good. Is this true so far?

Now I am confused regarding certificates.

For (1) I set the certificates in "tls" section of "eap" (since PEAP is
based on TLS). Since I do not want to install any certificates on the
clients, I would use a certificate officially signed by a CA trusted by
the client (e.g. StartSSL, LetsEncrypt, VeriSign, ...). But what to
choose an CN? Anything else to consider when creating the certificate?


Now the problem for (2) is that I need an own CA. I would assume the
configuration for EAP-TLS goes into the "tls" section under "eap" but as
written above this is already taken by PEAP!


Can't be so difficult ... how to implement this scenario appropriately?

Thanks!
Luke



PS: I use freeradius 2.1.12 in Debian stable.



More information about the Freeradius-Users mailing list