Authenticate with both Certificate and password
jan hugo prins
jhp at jhprins.org
Wed Jun 8 12:16:58 CEST 2016
Hi,
>> But now I want to have something special in one realm, in this one realm
>> I want to do a combination for certificate authentication and MsChapv2
>> authentication. This to make sure the user has a valid certificate and
>> also knows a valid user-name / password.
>>
>> Is this possible to configure in FreeRadius?
> Yes. But you also need to configure it on the client.
>
> Give the client a certificate. Configure the client to do TTLS. It will work.
>
> It *won't* work on older versions of Windows. This is because they don't do TTLS. They only do PEAP, and they disallow client certificates for PEAP.
I have een looking on my Linux workstation and so far I only found the
option to put certificates in the TLS config, and in the TLS config I
can't include username / password credentials. I'm going to try what
happens if I modify the config files manually to include certificates
besides Username / Password credentials.
>> Is this possible in the variety of of WPA-Supplicants used (Apple, Linux
>> and Windows)
>> Is it possible to do this in just one realm?
>>
>> If this is possible, could someone point me to some documentations that
>> describes this setup?
> You've already got 99% of it working. Just configure the client, and it will work.
Ok, that sounds really good, but then my second question: How do I force
the client to use this kind of authentication.
Because a the moment both Cert and username / password work, so no one
is forcing to client to do both. Server-side, I have to make sure that
arriving with just one of the 2 methods is not enough.
Jan Hugo
More information about the Freeradius-Users
mailing list