Authenticate with both Certificate and password

Alan DeKok aland at
Mon Jun 6 14:58:41 CEST 2016

On Jun 6, 2016, at 8:52 AM, jan hugo prins <jhp at> wrote:
> But now I want to have something special in one realm, in this one realm
> I want to do a combination for certificate authentication and MsChapv2
> authentication. This to make sure the user has a valid certificate and
> also knows a valid user-name / password.
> Is this possible to configure in FreeRadius?

  Yes.  But you also need to configure it on the client.

  Give the client a certificate.  Configure the client to do TTLS.  It will work.

  It *won't* work on older versions of Windows.  This is because they don't do TTLS.  They only do PEAP, and they disallow client certificates for PEAP.

> Is this possible in the variety of of WPA-Supplicants used (Apple, Linux
> and Windows)
> Is it possible to do this in just one realm?
> If this is possible, could someone point me to some documentations that
> describes this setup?

  You've already got 99% of it working.  Just configure the client, and it will work.

  Alan DeKok.

More information about the Freeradius-Users mailing list