Simultaneous EAP-TLS and PEAP-MSCHAPv2 (machine/user authentication)

Alan DeKok aland at deployingradius.com
Sat Dec 26 15:07:30 CET 2015 

On Dec 25, 2015, at 5:42 AM, Lukas Haase <lukashaase at gmx.at> wrote:
> However, I found tons of references and howtos where it is stated that
> (a) installing certificates on the client is optional (b) using a server
> certificate signed by an official CA is recommended.

  The only reason (a) *might* be true is if you believe (b).  Which I don't.

  When you allow a public CA for a particular SSID, it means that *any* certificate issued by that CA will be allowed for that SSID.

  This isn't what you want.

  We recommend using a self-signed CA, because it's more secure.  The people who recommend using public CAs generally don't know what they're talking about.

>>  Windows can do machine-level authentication, by automatically provisioning the certificates.
> 
> I cannot find good references to that; do you have a pointer?

  It's done via Active Directory.  See that documentation.

>>  For every other system, there is no "machine auth".  There are only user accounts, and user credentials.
> 
> At least I could use a users file containing "machine" accounts with
> long passwords ... but this is again much more difficult than just
> deploying a simple certificate file.

  Why would you do this in the first place?

  You can only authenticate once with 802.1X.  Once you're authenticated, you're in the network.  802.1X has no concept of "machine" accounts versus "people" accounts. 

> In that case: Why then sign the client certificate with the server cert
> at all?

  You don't.  You sign the client certificate with the CA cert.

>>  You can't do both on the same machine in the same account.
> 
> What do you mean by "same account"?

  Why do you think there are multiple accounts?  Do you think there are multiple 802.1X authentications?

  The problem here is that you have certain assumptions about how things work.  Those assumptions are wrong.  I'm trying to correct them, but because your assumptions and terminology are wrong, you're not really understanding my answers.

> I really can't use anything in parallel with PEAP?

  You can't authenticate twice in 802.1X.  Once a system is authenticated, it's on the network.

  i.e. you're asking the wrong questions.

> As mentioned, in this case too many broken howtos and references out
> there :(

  I'm saying what you should do.  You can

  (a) believe it and follow instructions, and get the systems on the net,

  or

  (b) ignore what I'm saying, keep with whatever ideas you have, and not get anything done.

  Pick one.

> Again ... with machine you mean the client or the RADIUS server?

  I mean supplicant / laptop / desktop.  Once a system is on the net, it's on the net.

  How do *you* expect to use EAP-TLS and PEAP at the same time, from the same machine?

  Please explain.

> Per "end user account" I *only* want to use PEAP-MSCHAPv2 (because it is
> most widely supported) using login/password information looked up via
> OpenLDAP (this works).

  Sure.

> Independently from an "end user account" I would like the authentication
> to succeed when the client presents a certificate signed by the server,
> same as it is the case for OpenVPN in PKI mode. I think this can be done
> with EAP-TLS.

  Sure.

  But... how do you expect EAP-TLS and PEAP to work together?

  Explain.  In detail.

> So if FreeRADIUS can't be set up serving EAP-TLS and PEAP-MSCHAPv2 at
> the same time,

  You're not paying attention.

  It's not a FreeRADIUS limitation.  It's a limitation of the machine trying to get on the network, and the network.

> can't it be configured with virtual servers?
> For example, there is "modules/inner-eap" which contains a separate TLS
> configuration. I though this is the key to the correct configuration.

  It helps to understand the concepts before trying random solutions.

>>   It's impossible.  You can only have one 802.1X configuration per end user account.
> 
> What I mean: There are tons of deployments in companies supporting which
> present a username/password prompt when connecting to the network but
> connect automatically without a prompt when a certain certificate is
> installed on the system.

  Sure.  That' s doing *either* PEAP or EAP-TLS.  Only one 802.1X configuration is active at a time.

> I've seen that. So I assume this is a very
> common setup which shouldn't be too hard to implement.

  Authenticating one machine using EAP-TLS and PEAP at the same time is impossible.

  FreeRADIUS can authenticate anything.  If one machine does EAP-TLS, and another does PEAP.  That's fine.  If one machine does EAP-TLS, logs off of the network, and then comes back with PEAP, that's fine.

  Please understand what I'm saying.  You have some kind of assumption about how the network works.  Those assumptions are wrong.  Because those assumptions are wrong, you're asking the wrong questions.  And not understanding my answers.

  It's really quite simple. Configure a system to do:

  a) PEAP

or

  b) EAP-TLS.

  Pick one.  It will be able to do 802.1X and get on the network.

  Doing some kind of magical "PEAP and EAP-TLS at the same time" is impossible.  Stop trying to do it.  You're wasting everyones time.

  Alan DeKok.

More information about the Freeradius-Users mailing list