Simultaneous EAP-TLS and PEAP-MSCHAPv2 (machine/user authentication)

Ben Humpert ben at an3k.de
Mon Dec 28 15:51:14 CET 2015


2015-12-26 20:54 GMT+01:00 Alan DeKok <aland at deployingradius.com>:

> On Dec 26, 2015, at 1:03 PM, Lukas Haase <lukashaase at gmx.at> wrote:
> > 1.) Client presents a certificate signed by the CA -> authentication
> > should succeed ("machine authentication").
>
>   Stop calling it "machine authentication".  Part of becoming familiar
> with the topic is that you *don't* use the wrong terminology.
>
>   Get the idea of "machine authentication" out of your head.  Just stop
> it.  It's unhelpful, confusing, and wastes everyones time.


It isn't wrong terminology. Windows (XP -> 10) uses this. One can chose
between machine and user authentication. The difference between both is:
Machine auth happens BEFORE a user logs into Windows. User auth happens
AFTER a user logged into Windows.

One actually could use two certificates, one for the machine (is the
machine allowed to access the network? If yes into which VLAN should we put
it?) and one for the user (is the user allowed to access the network?).
Using both you could do machine auth first and get the machine put into
VLAN 1 to get DHCP stuff and access to eg. Active directory (which is
required for user auth). Then you can do user auth and put the machine into
the VLAN the user actually belongs to.
This way no one could BYOD which may be infected / insecure. Additionally
one could block inexperienced users from using administrative computers.

The problem is this only works with an Active Directory / Primary Domain
Controller, thus you need Microsoft Windows Server. It doesn't work with
Samba or whatever else.

Correct however is that from the FR point of view both authentications look
"the same". It just Windows making a (beneficial) difference I wish every
OS would do.


More information about the Freeradius-Users mailing list