PEAP and MSCHAPv2 with personal supplicant certificates

Alan DeKok aland at
Mon Sep 26 16:33:28 CEST 2016

On Sep 26, 2016, at 10:16 AM, Renato Rodrigues via Freeradius-Users <freeradius-users at> wrote:
> We have a mixed environment with Linux and Windows 7 client machines and I
> have successfully configured freeradius to authenticate to our AD server,
> through both PEAP and EAP-TLS.
> Over EAP-TLS the client certificate is being verified against the CA and on
> the CN against the declared EAP username. I am still working on encrypting
> the client certificate with personal passwords on each supplicant machine
> (and I believe I'll succeed soon). I believe I'm close to replicating this
> behavior over PEAP, which would add the MSCHAPv2 authentication after the
> TLS validation, however this is not the full functionality that we desire.

  Windows will not do PEAP with client certificates and MS-CHAPv2.

> The idea is to have individual certificates for each user, encrypted with a
> personal password. The certificates being signed by the server CA with
> usernames as CNs, which we are already able to check thanks to the great
> templates available, and as the second step we'd like to have the user
> authenticated (under the encrypted TLS connection) with MSCHAP against our
> Active Directory. The current challenge is to lock the tunneled
> authentication to the same username of the certificate step.

  You can check the inner-tunnel User-Name against the outer user-name, and against the outer certificate identity.

  See TLS-Cert-Subject-Alt-Name-Email in raddb/sites-available/default.

> What has been troublesome for me is this last step, to lock the AD
> authentication to the same user declared on the certificate. It seems to me
> that the RADIUS server would be able to reject this kind of abuse, though
> it might not be the way it is supposed to work. I couldn't find the right
> documentation on how to do it, so anything close to it can help me. Our lab
> right now is on a Debian server with freeradius 2.2.5,

  Upgrade to version 3.  It will be a LOT easier to configure.

  I have no idea why Debian insists on shipping versions of FreeRADIUS that are *years* out of date.

  Alan DeKok.

More information about the Freeradius-Users mailing list