PEAP and MSCHAPv2 with personal supplicant certificates
mcn4 at leicester.ac.uk
Mon Sep 26 16:38:03 CEST 2016
On Mon, Sep 26, 2016 at 11:16:08AM -0300, Renato Rodrigues via Freeradius-Users wrote:
> We have a mixed environment with Linux and Windows 7 client machines and I
> (and I believe I'll succeed soon). I believe I'm close to replicating this
> behavior over PEAP, which would add the MSCHAPv2 authentication after the
> TLS validation, however this is not the full functionality that we desire.
The Windows supplicant refuses to send a client certificate with
PEAP, so you can't do both at the same time.
You might get it working with Linux and wpasupplicant.
> What has been troublesome for me is this last step, to lock the AD
> authentication to the same user declared on the certificate. It seems to me
> that the RADIUS server would be able to reject this kind of abuse, though
> it might not be the way it is supposed to work.
You could probably do this in the check-eap-tls virtual server in
v3. But only if you got a client certificate.
> right now is on a Debian server with freeradius 2.2.5, but we expect to put
> it in production on a pfSense firewall (I should confirm soon which version
Version 2 is obsolete. Don't use it for new deployments. Start
with the latest version of 3.0.
Matthew Newton, Ph.D. <mcn4 at leicester.ac.uk>
Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
More information about the Freeradius-Users