EAP-TEAP not doing 2nd inner Method

Alan DeKok aland at deployingradius.com
Fri Dec 6 12:50:08 UTC 2024 

On Dec 6, 2024, at 6:12 AM, Martin B. <martinbiniek at googlemail.com> wrote:
> I would like to implement EAP-TEAP because it should (theoretically) be possible that even if one of the two identities could not get verified (e.g., because there is no user certificate on the client yet), the server returns an Access-Accept, and depending on which of the two identities failed, the client is placed in a specific VLAN.

  My point is still that having two certificates on the same machine isn't any more secure than having one certificate.

> If a user logs in to a client where only a machine certificate exists, the RADIUS server could detect this with the help of EAP-TEAP (because the user certificate does not exist and therefore no EAP-Identity is present) and the client could be placed in a network where it automatically receives the required user certificate. After receiving the certificate, a re-auth of the client would need to be performed so that it can be determined that both identities have been verified and the client can then access the internal company network.

  Calling one certificate a "user" certificate doesn't mean that it authenticates the user.  Instead of saying that TEAP uses "machine" and "user" certs, we could just as well say that it uses "green" and "blue" certificates.

  The only real difference between the two certificates is that they're stored in different places on the same machine.

  Perhaps the intention is to say both "This machine is authenticating, AND this user is currently logged into the machine".  But that's an intention, and isn't reflected in how the protocol works.  The server just gets two certificates, and has no way of knowing if the machine is telling the truth, or is lying.

  It's really an illusion of extra security.

> I tried to achieve this behavior by adding the custom EAP-TEAP configuration you provided to my FreeRADIUS and playing with the configuration a bit, but so far without success. Even if the FreeRADIUS server receives an "Unknown EAP-Identity" and then sends back an Access-Accept, the client remains disconnected from the network. Probably because the client only wants to connect to the network when both the server and the client have processed a "FreeRADIUS-EAP-TEAP-Result = Success".
> 
> Do you plan on implementing this or is FreeRADIUS already capable of such behavior?

  See your comment above:

> the client only wants to connect to the network when both the server and the client have processed a success

 The client has to agree to connect to the network.  If the client doesn't agree, then no amount of changes to FreeRADIUS will make the client behave any differently.

> And also, thank you for your help Alan. I really appreciate that.

  You're welcome.

  Alan DeKok.

More information about the Freeradius-Users mailing list