Simultaneous EAP-TLS and PEAP-MSCHAPv2 (machine/user authentication)

Lukas Haase lukashaase at gmx.at
Sat Dec 26 19:03:23 CET 2015


Hi Alan,

I think parts of our conversation move towards a non-productive
direction; probably because I am using different terminology (e.g.
"machine authentication") due to my unfamiliarity with the topic.

Before going ahead let me once again describe the setup I want:

1.) Client presents a certificate signed by the CA -> authentication
should succeed ("machine authentication"). (I thought this would best be
done via EAP-TLS but not sure)

2.) If the client does NOT have a client certificate signed by the CA
installed it should query for username/password ("user authentication")
exactly as in my current setup. Authentication should succeed via
PEAP-MSCHAPv2 if correct credentials are presented.



For (1) I do NOT want machine accounts in AD/Samba etc - just presenting
the correct client certificate should be enough. This should work with
Windows clients as well as Android clients.


On 2015-12-26 15:07, Alan DeKok wrote:
> On Dec 25, 2015, at 5:42 AM, Lukas Haase <lukashaase at gmx.at> wrote:
> [...]
>>>  Windows can do machine-level authentication, by automatically provisioning the certificates.
>>
>> I cannot find good references to that; do you have a pointer?
> It's done via Active Directory.  See that documentation.

I think we spoke about different things. This is not what I want anyway ...

>>>  For every other system, there is no "machine auth".  There are only user accounts, and user credentials.
>>
>> At least I could use a users file containing "machine" accounts with
>> long passwords ... but this is again much more difficult than just
>> deploying a simple certificate file.
> 
>   Why would you do this in the first place?
> 
>   You can only authenticate once with 802.1X.  Once you're authenticated, you're in the network.  802.1X has no concept of "machine" accounts versus "people" accounts. 

Sorry for the confusion; not what I want, see above.

>> In that case: Why then sign the client certificate with the server cert
>> at all?
> 
>   You don't.  You sign the client certificate with the CA cert.

Of course, my bad.

>>>  You can't do both on the same machine in the same account.
>>
>> What do you mean by "same account"?
> 
>   Why do you think there are multiple accounts?  Do you think there are multiple 802.1X authentications?
> 
>   The problem here is that you have certain assumptions about how things work.  Those assumptions are wrong.  I'm trying to correct them, but because your assumptions and terminology are wrong, you're not really understanding my answers.

Yes, I think so.
No I do not want multiple 802.1X authentications.

My understanding is that it works similar as PAM etc.: It's a stack of
authentication methods which are tried as long as either one succeeds or
all fail.

The first one that should be tried should be EAP-TLS with nothing but a
client certificate (what I call "machine authentication") and the second
one should be PEAP-MSCHAPv2 (what I call "user authentication").

If both fail, network authentication fails.

> [...]
>> Again ... with machine you mean the client or the RADIUS server?
> 
>   I mean supplicant / laptop / desktop.  Once a system is on the net, it's on the net.
> 
>   How do *you* expect to use EAP-TLS and PEAP at the same time, from the same machine?
> 
>   Please explain.

I used wrong terminology, see above. Hope it's clear now.

>> Independently from an "end user account" I would like the authentication
>> to succeed when the client presents a certificate signed by the server,
>> same as it is the case for OpenVPN in PKI mode. I think this can be done
>> with EAP-TLS.
> 
>   Sure.
> 
>   But... how do you expect EAP-TLS and PEAP to work together?
> 
>   Explain.  In detail.

I am not sure if it is possible, hence my question.

See above: I would expect that a client certificate is attempted first
and if that fails username/password via PEAP-MSCHAPv2. If this is *not*
possible with EAP-TLS and PEAP-MSCHAPv2 on the same RADIUS server, maybe
it's possible with PEAP only.

>> So if FreeRADIUS can't be set up serving EAP-TLS and PEAP-MSCHAPv2 at
>> the same time,
> 
>   You're not paying attention.
> 
>   It's not a FreeRADIUS limitation.  It's a limitation of the machine trying to get on the network, and the network.
> 
>> can't it be configured with virtual servers?
>> For example, there is "modules/inner-eap" which contains a separate TLS
>> configuration. I though this is the key to the correct configuration.
> 
>   It helps to understand the concepts before trying random solutions.
> 
>>>   It's impossible.  You can only have one 802.1X configuration per end user account.
>>
>> What I mean: There are tons of deployments in companies supporting which
>> present a username/password prompt when connecting to the network but
>> connect automatically without a prompt when a certain certificate is
>> installed on the system.
> 
>   Sure.  That' s doing *either* PEAP or EAP-TLS.  Only one 802.1X configuration is active at a time.

Ok.

>> I've seen that. So I assume this is a very
>> common setup which shouldn't be too hard to implement.
> 
>   Authenticating one machine using EAP-TLS and PEAP at the same time is impossible.

See above, not what I want.
As soon as client sends EAP-TLS client certificate which is valid -> done.

If not, the client would just attempt to authenticate with PEAP-MSCHAPv2.

>   FreeRADIUS can authenticate anything.  If one machine does EAP-TLS, and another does PEAP.  That's fine.

This is what I want!

And my question is precicely how to set up freeradius to be able to
handle both.

Possibly with different server certificates/CAs for EAP-TLS and PEAP.
Because both seem to use the "tls" section in eap.conf for
key/certificate configuration.

Thanks,
Luke








More information about the Freeradius-Users mailing list