two factor authentication mschapv2 and eat-tls

Arran Cudbard-Bell a.cudbardb at
Sun Sep 11 17:05:11 CEST 2016

> On 11 Sep 2016, at 09:42, Alan DeKok <aland at> wrote:
> On Sep 11, 2016, at 2:59 AM, stefan nowak <pionartest at> wrote:
>> Is it possible to setup two factor authentication with use mschav2 and eap-tls?
>  That's called PEAP.
>> My concept is:
>> first step is use eap-tls to check if user have valid certificate if
>> yes then next should appear prompt with user and password(mschapv2)
>> where check data from Active Directory server. User should get access
>> only in case when all two steps will success .
>> Is it possible to do with freeradius  3.x?

For clarification, it is technically possible.  Any Linux or Android device will be able to perform 2FA with the first factor being a client certificate and the second factor being a password or OTP token.

Unfortunately Windows supplicants don't support it.

We request a certificate in the TLS session setup, and Windows just gets confused (tried it before).


Arran Cudbard-Bell <a.cudbardb at>
FreeRADIUS Development Team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <>

More information about the Freeradius-Users mailing list