PEAP and MSCHAPv2 with personal supplicant certificates
Renato Rodrigues
rrodrigues at mt4.com.br
Thu Sep 29 17:27:52 CEST 2016
Thank you both very much for your recommendations. I'm building a new lab
on CentOS 7 (for now) and I'm pretty optimistic on this.
Att,
*Renato Zipper *
<http://www.mt4.com.br/>
2016-09-26 11:38 GMT-03:00 Matthew Newton <mcn4 at leicester.ac.uk>:
> On Mon, Sep 26, 2016 at 11:16:08AM -0300, Renato Rodrigues via
> Freeradius-Users wrote:
> > We have a mixed environment with Linux and Windows 7 client machines and
> I
> ...
> > (and I believe I'll succeed soon). I believe I'm close to replicating
> this
> > behavior over PEAP, which would add the MSCHAPv2 authentication after the
> > TLS validation, however this is not the full functionality that we
> desire.
>
> The Windows supplicant refuses to send a client certificate with
> PEAP, so you can't do both at the same time.
>
> You might get it working with Linux and wpasupplicant.
>
> > What has been troublesome for me is this last step, to lock the AD
> > authentication to the same user declared on the certificate. It seems to
> me
> > that the RADIUS server would be able to reject this kind of abuse, though
> > it might not be the way it is supposed to work.
>
> You could probably do this in the check-eap-tls virtual server in
> v3. But only if you got a client certificate.
>
> > right now is on a Debian server with freeradius 2.2.5, but we expect to
> put
> > it in production on a pfSense firewall (I should confirm soon which
> version
>
> Version 2 is obsolete. Don't use it for new deployments. Start
> with the latest version of 3.0.
>
> Matthew
>
>
> --
> Matthew Newton, Ph.D. <mcn4 at leicester.ac.uk>
>
> Systems Specialist, Infrastructure Services,
> I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
>
> For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
>
More information about the Freeradius-Users
mailing list