Authenticate with both Certificate and password

jan hugo prins jhp at
Wed Jun 8 12:16:58 CEST 2016


>> But now I want to have something special in one realm, in this one realm
>> I want to do a combination for certificate authentication and MsChapv2
>> authentication. This to make sure the user has a valid certificate and
>> also knows a valid user-name / password.
>> Is this possible to configure in FreeRadius?
>   Yes.  But you also need to configure it on the client.
>   Give the client a certificate.  Configure the client to do TTLS.  It will work.
>   It *won't* work on older versions of Windows.  This is because they don't do TTLS.  They only do PEAP, and they disallow client certificates for PEAP.
I have een looking on my Linux workstation and so far I only found the
option to put certificates in the TLS config, and in the TLS config I
can't include username / password credentials. I'm going to try what
happens if I modify the config files manually to include certificates
besides Username / Password credentials.

>> Is this possible in the variety of of WPA-Supplicants used (Apple, Linux
>> and Windows)
>> Is it possible to do this in just one realm?
>> If this is possible, could someone point me to some documentations that
>> describes this setup?
>   You've already got 99% of it working.  Just configure the client, and it will work.

Ok, that sounds really good, but then my second question: How do I force
the client to use this kind of authentication.
Because a the moment both Cert and username / password work, so no one
is forcing to client to do both. Server-side, I have to make sure that
arriving with just one of the 2 methods is not enough.

Jan Hugo

More information about the Freeradius-Users mailing list