Simultaneous EAP-TLS and PEAP-MSCHAPv2 (machine/user authentication)
Alan DeKok
aland at deployingradius.com
Fri Dec 25 04:07:18 CET 2015
On Dec 24, 2015, at 9:01 PM, Lukas Haase <lukashaase at gmx.at> wrote:
> For my private network I would like to use 802.1X (managed switch) and
> WPA2 Enterprise via freeradius. I want to allow (1) username/password
> login with LDAP backend without installing any software/certificates on
> the clients
That doesn't work. You need a CA cert installed on the laptops / end machines.
> and (2) machine-level authentication by installing a simple
> certificate on the client.
Windows can do machine-level authentication, by automatically provisioning the certificates.
For every other system, there is no "machine auth". There are only user accounts, and user credentials.
> Both methods should work with as many clients
> (Windows, Android, iOS, ...) as possible.
See above. The system-specific limitations are very limiting.
> I assume for (1) PEAP-MSCHAPv2 with LDAP is good. Got this working now.
You need to add / enable a CA for the 802.1X authentication. Disabling server certificate verification "works", for various insecure definitions of "works".
> I assume for (2) EAP-TLS is good. Is this true so far?
You can't do both on the same machine in the same account.
> Now I am confused regarding certificates.
>
> For (1) I set the certificates in "tls" section of "eap" (since PEAP is
> based on TLS). Since I do not want to install any certificates on the
> clients, I would use a certificate officially signed by a CA trusted by
> the client (e.g. StartSSL, LetsEncrypt, VeriSign, ...).
That is not recommended. You should use a self-signed CA.
> But what to
> choose an CN? Anything else to consider when creating the certificate?
Use the certificate creation scripts distributed with the server.
> Now the problem for (2) is that I need an own CA. I would assume the
> configuration for EAP-TLS goes into the "tls" section under "eap" but as
> written above this is already taken by PEAP!
While you can put two CA certificates into the raddb/certs directory... you *can't* use two different 802.1X configurations for the same machine. Even on Windows.
> Can't be so difficult ... how to implement this scenario appropriately?
It's impossible. You can only have one 802.1X configuration per end user account.
> PS: I use freeradius 2.1.12 in Debian stable.
Ugh. Install 2.2.9. It's really not hard. Using a 5 year-old version of the server is depressing.
Alan DeKok.
More information about the Freeradius-Users
mailing list