802.1x in Windows
Matthew Newton
mcn4 at leicester.ac.uk
Tue Sep 6 11:26:07 CEST 2016
On Tue, Sep 06, 2016 at 09:03:14AM +0200, Michael Schwartzkopff wrote:
> this might be a little bit off topic, but perhaps someone can help here.
A little.
> I want to set up 802.1x for windows systems. In windows 7 an higher, is it
> possible to use certificates for the client authentication if no user is logged
> in, but passwords for the user authentication?
For Windows 7 at least, you can use
"user authentication" which is either with certificates (EAP-TLS)
or username/password (PEAP/MSCHAPv2).
or
"machine authentication" which usually uses certificates
(EAP-TLS), but I believe can auth with the username and password
of the computer's AD account with MSCHAPv2.
You can't use both at the same time (e.g. PEAP/MSCHAPv2 with the
"machine" certificate sent as a client certificate in PEAP and the
user's password sent in the MSCHAPv2 part) because Windows won't
let you send a client certificate as part of PEAP, even though
it's technically allowed. EAP-TLS is certificate only.
There is an option somewhere that lets you use "machine"
authentication at boot time, and then to re-authenticate using the
user's credentials when they log in to Windows, but I forget where
it is now. This sounds like it's what you want.
Windows 8/10 may be more or less flexible. They at least now
permit EAP-TTLS/PAP, rather than just PEAP/MSCHAPv2.
You can also do PEAP/EAP-TLS, which is of no real benefit over the
plain EAP-TLS, except that it allows you to gather system
statement-of-health (SoH) data on the RADIUS server.
FreeRADIUS can handle all of the above.
Matthew
--
Matthew Newton, Ph.D. <mcn4 at leicester.ac.uk>
Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
More information about the Freeradius-Users
mailing list