Simultaneous EAP-TLS and PEAP-MSCHAPv2 (machine/user authentication)

Alan DeKok aland at deployingradius.com
Sat Dec 26 20:54:54 CET 2015 

On Dec 26, 2015, at 1:03 PM, Lukas Haase <lukashaase at gmx.at> wrote:
> I think parts of our conversation move towards a non-productive
> direction; probably because I am using different terminology (e.g.
> "machine authentication") due to my unfamiliarity with the topic.

  The solution is to *not* use terminology you're unfamiliar with.  Use simple terminology.  Which helps to keep your questions clear.

  The alternative is to ask questions using the wrong terminology, which is unhelpful and confusing.

> Before going ahead let me once again describe the setup I want:
> 
> 1.) Client presents a certificate signed by the CA -> authentication
> should succeed ("machine authentication").

  Stop calling it "machine authentication".  Part of becoming familiar with the topic is that you *don't* use the wrong terminology.

  Get the idea of "machine authentication" out of your head.  Just stop it.  It's unhelpful, confusing, and wastes everyones time.

> (I thought this would best be
> done via EAP-TLS but not sure)
 
  I've explained this repeatedly.  How can you be "not sure"?

  What part of my explanations are unclear?

> 2.) If the client does NOT have a client certificate signed by the CA
> installed it should query for username/password ("user authentication")

  No.  Stop using wrong terminology.  It's unhelpful.  Stop talking about "user authentication".  There is nothing in EAP which distinguishes "user" from "machine" authentication.  It's all just "authentication".

> exactly as in my current setup. Authentication should succeed via
> PEAP-MSCHAPv2 if correct credentials are presented.

  OK...

> For (1) I do NOT want machine accounts in AD/Samba etc - just presenting
> the correct client certificate should be enough. This should work with
> Windows clients as well as Android clients.

  Please read my messages.  What I said is:

 What you're talking about amounts to this:

1) some systems have client certificates.  These systems are configured to do EAP-TLS.

2) some systems don't have client certificates.  These systems are configured to do PEAP-MSCHAPv2.

 That's it.

  Is there any part of those two choices which are unclear?

  Alan DeKok.

More information about the Freeradius-Users mailing list