PEAP and MSCHAPv2 with personal supplicant certificates

Matthew Newton mcn4 at
Mon Sep 26 16:38:03 CEST 2016

On Mon, Sep 26, 2016 at 11:16:08AM -0300, Renato Rodrigues via Freeradius-Users wrote:
> We have a mixed environment with Linux and Windows 7 client machines and I
> (and I believe I'll succeed soon). I believe I'm close to replicating this
> behavior over PEAP, which would add the MSCHAPv2 authentication after the
> TLS validation, however this is not the full functionality that we desire.

The Windows supplicant refuses to send a client certificate with
PEAP, so you can't do both at the same time.

You might get it working with Linux and wpasupplicant.

> What has been troublesome for me is this last step, to lock the AD
> authentication to the same user declared on the certificate. It seems to me
> that the RADIUS server would be able to reject this kind of abuse, though
> it might not be the way it is supposed to work.

You could probably do this in the check-eap-tls virtual server in
v3. But only if you got a client certificate.

> right now is on a Debian server with freeradius 2.2.5, but we expect to put
> it in production on a pfSense firewall (I should confirm soon which version

Version 2 is obsolete. Don't use it for new deployments. Start
with the latest version of 3.0.


Matthew Newton, Ph.D. <mcn4 at>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at>

More information about the Freeradius-Users mailing list