two factor authentication mschapv2 and eat-tls
Arran Cudbard-Bell
a.cudbardb at freeradius.org
Sun Sep 11 17:05:11 CEST 2016
> On 11 Sep 2016, at 09:42, Alan DeKok <aland at deployingradius.com> wrote:
>
> On Sep 11, 2016, at 2:59 AM, stefan nowak <pionartest at gmail.com> wrote:
>> Is it possible to setup two factor authentication with use mschav2 and eap-tls?
>
> That's called PEAP.
>
>> My concept is:
>> first step is use eap-tls to check if user have valid certificate if
>> yes then next should appear prompt with user and password(mschapv2)
>> where check data from Active Directory server. User should get access
>> only in case when all two steps will success .
>>
>> Is it possible to do with freeradius 3.x?
For clarification, it is technically possible. Any Linux or Android device will be able to perform 2FA with the first factor being a client certificate and the second factor being a password or OTP token.
Unfortunately Windows supplicants don't support it.
We request a certificate in the TLS session setup, and Windows just gets confused (tried it before).
-Arran
Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS Development Team
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20160911/9e52b696/attachment.sig>
More information about the Freeradius-Users
mailing list