802.1x in Windows

Michael Schwartzkopff ms at sys4.de
Tue Sep 6 11:55:27 CEST 2016

Am Dienstag, 6. September 2016, 10:26:07 schrieben Sie:
> On Tue, Sep 06, 2016 at 09:03:14AM +0200, Michael Schwartzkopff wrote:
> > this might be a little bit off topic, but perhaps someone can help here.
> A little.
> > I want to set up 802.1x for windows systems. In windows 7 an higher, is it
> > possible to use certificates for the client authentication if no user is
> > logged in, but passwords for the user authentication?
> For Windows 7 at least, you can use
>   "user authentication" which is either with certificates (EAP-TLS)
>   or username/password (PEAP/MSCHAPv2).
> or
>   "machine authentication" which usually uses certificates
>   (EAP-TLS), but I believe can auth with the username and password
>   of the computer's AD account with MSCHAPv2.
> You can't use both at the same time (e.g. PEAP/MSCHAPv2 with the
> "machine" certificate sent as a client certificate in PEAP and the
> user's password sent in the MSCHAPv2 part) because Windows won't
> let you send a client certificate as part of PEAP, even though
> it's technically allowed. EAP-TLS is certificate only.
> There is an option somewhere that lets you use "machine"
> authentication at boot time, and then to re-authenticate using the
> user's credentials when they log in to Windows, but I forget where
> it is now. This sounds like it's what you want.

Yes. Thats is what I was looking for. But it seems I have to set it up in my 
lab to test it.

> FreeRADIUS can handle all of the above.

I know :-)

Mit freundlichen Grüßen,

Michael Schwartzkopff

[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
Schleißheimer Straße 26/MG, 80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 230 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20160906/49450515/attachment-0001.sig>

More information about the Freeradius-Users mailing list