Simultaneous EAP-TLS and PEAP-MSCHAPv2 (machine/user authentication)

Lukas Haase lukashaase at gmx.at
Fri Dec 25 11:42:50 CET 2015 

Alan, thanks.

On 2015-12-25 4:07, Alan DeKok wrote:
> On Dec 24, 2015, at 9:01 PM, Lukas Haase <lukashaase at gmx.at> wrote:
>> For my private network I would like to use 802.1X (managed switch) and
>> WPA2 Enterprise via freeradius. I want to allow (1) username/password
>> login with LDAP backend without installing any software/certificates on
>> the clients
> 
>   That doesn't work.  You need a CA cert installed on the laptops / end machines.

I was afraid so and technically it makes sense (since there is not even
an "anchor" that can relate the RADIUS server with the CN as it is for DNS).

Currently it works with the self-signed certificate (but Windows
presents the certificate warning). For my level of security in my
private network this is acceptable.

However, I found tons of references and howtos where it is stated that
(a) installing certificates on the client is optional (b) using a server
certificate signed by an official CA is recommended.

>> and (2) machine-level authentication by installing a simple
>> certificate on the client.
> 
>   Windows can do machine-level authentication, by automatically provisioning the certificates.

I cannot find good references to that; do you have a pointer?

Conceptionally, would I need to add machines as user accounts (as for a
PDC) or is it enough to have the client certificate signed by the server
certificate? I would not want the former case.

>   For every other system, there is no "machine auth".  There are only user accounts, and user credentials.

At least I could use a users file containing "machine" accounts with
long passwords ... but this is again much more difficult than just
deploying a simple certificate file.

In that case: Why then sign the client certificate with the server cert
at all?

> [...]
>> I assume for (2) EAP-TLS is good. Is this true so far?
> 
>   You can't do both on the same machine in the same account.

What do you mean by "same account"?

I really can't use anything in parallel with PEAP?

>> Now I am confused regarding certificates.
>>
>> For (1) I set the certificates in "tls" section of "eap" (since PEAP is
>> based on TLS). Since I do not want to install any certificates on the
>> clients, I would use a certificate officially signed by a CA trusted by
>> the client (e.g. StartSSL, LetsEncrypt, VeriSign, ...).
> 
>   That is not recommended.  You should use a self-signed CA.

As mentioned, in this case too many broken howtos and references out
there :(

> [...]
>> Now the problem for (2) is that I need an own CA. I would assume the
>> configuration for EAP-TLS goes into the "tls" section under "eap" but as
>> written above this is already taken by PEAP!
> 
>   While you can put two CA certificates into the raddb/certs directory... you *can't* use two different 802.1X configurations for the same machine.  Even on Windows.

Again ... with machine you mean the client or the RADIUS server?

Per "end user account" I *only* want to use PEAP-MSCHAPv2 (because it is
most widely supported) using login/password information looked up via
OpenLDAP (this works).


Independently from an "end user account" I would like the authentication
to succeed when the client presents a certificate signed by the server,
same as it is the case for OpenVPN in PKI mode. I think this can be done
with EAP-TLS.

So if FreeRADIUS can't be set up serving EAP-TLS and PEAP-MSCHAPv2 at
the same time, can't it be configured with virtual servers?
For example, there is "modules/inner-eap" which contains a separate TLS
configuration. I though this is the key to the correct configuration.

>> Can't be so difficult ... how to implement this scenario appropriately?
> 
>    It's impossible.  You can only have one 802.1X configuration per end user account.

What I mean: There are tons of deployments in companies supporting which
present a username/password prompt when connecting to the network but
connect automatically without a prompt when a certain certificate is
installed on the system. I've seen that. So I assume this is a very
common setup which shouldn't be too hard to implement.

Thanks
Luke

More information about the Freeradius-Users mailing list