Simultaneous EAP-TLS and PEAP-MSCHAPv2 (machine/user authentication)
Alan DeKok
aland at deployingradius.com
Sat Dec 26 18:54:23 CET 2015
On Dec 26, 2015, at 12:45 PM, Lukas Haase <lukashaase at gmx.at> wrote:
> This is not what I want anyway. Once again the intended setup:
>
> 1.) Client presents a certificate signed by the CA -> authentication
> should succeed ("machine authentication").
No. That is not "machine authentication".
Machine authentication is where a Windows system uses credentials provisioned by Active Directory to do 802.1X. When that happens, the user does *not* provide any credentials.
> (I thought this would best be
> done via EAP-TLS but not sure)
The TLS-based EAP methods are EAP-TLS, PEAP, and TTLS.
> 2.) If the client does NOT have a client certificate signed by the CA
> installed it should query for username/password ("user authentication")
> exactly as in my current setup. Authentication should succeed via
> PEAP-MSCHAPv2 if correct credentials are presented.
That's PEAP. Mostly.
You can configure an end system to do 802.1X. It has a preferred EAP method, which it uses for authentication. i.e. it uses *one* EAP method.
What you're talking about amounts to this:
1) some systems have client certificates. These systems are configured to do EAP-TLS.
2) some systems don't have client certificates. These systems are configured to do PEAP-MSCHAPv2.
That's it.
Alan DeKok.
More information about the Freeradius-Users
mailing list