Discussion:
Freeradius authentication with SSL client certificates
Tom Yard
2018-11-26 15:06:31 UTC
Permalink
Hi people, I wanto to implement a Freeradius authentication scheme, using
server and client SSL certificates: every client that require WiFI access
has to have a valid SSL certificate.

I think I have to use:

Authetication methos: EAP-TLS
Authentication protocol with NTLM: MSCHAP or MSCHAPv2

My clients are Windows, Linux and maybe Android.

Is my proposal correct ?

Thanking in advance.

Tommy
-
List info/subscribe/unsubscribe? See http://www.freerad
Arran Cudbard-Bell
2018-11-26 17:04:39 UTC
Permalink
Post by Tom Yard
Hi people, I wanto to implement a Freeradius authentication scheme, using
server and client SSL certificates: every client that require WiFI access
has to have a valid SSL certificate.
Authetication methos: EAP-TLS
Authentication protocol with NTLM: MSCHAP or MSCHAPv2
My clients are Windows, Linux and maybe Android.
Is my proposal correct ?
EAP-TLS can't carry and inner method, so not really. You can use EAP-TTLS with a client cert (so it behaves like EAP-TLS), and then run EAP-MSCHAPv2 as the inner method to do NTLM.


-Arran
-
List info/subscribe/uns
Matthew Newton
2018-11-26 17:19:46 UTC
Permalink
Post by Tom Yard
Hi people, I wanto to implement a Freeradius authentication scheme, using
server and client SSL certificates: every client that require WiFI access
has to have a valid SSL certificate.
If this is the _only_ requirement (i.e. that the client needs a cert to
authenticate) then you just need EAP-TLS.
--
Matthew

-
List info/subscribe/un
luckydog xf
2018-11-27 00:23:54 UTC
Permalink
For wifi authentication, only two method are usable,

1. EAP-TTLS( an extension of EAP), which requires Certs installed on each
terminal( PC, Andriod, etc). 2. EAP-mschapv2( sometimes called
PEAP-MSCHAPV2).

Both of them are running inner layer of EAP, an alias is PEAP.

Correct me if I am wrong.
Post by Matthew Newton
Post by Tom Yard
Hi people, I wanto to implement a Freeradius authentication scheme, using
server and client SSL certificates: every client that require WiFI access
has to have a valid SSL certificate.
If this is the _only_ requirement (i.e. that the client needs a cert to
authenticate) then you just need EAP-TLS.
--
Matthew
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://w
Alan DeKok
2018-11-27 02:17:35 UTC
Permalink
Post by luckydog xf
For wifi authentication, only two method are usable,
No.
Post by luckydog xf
1. EAP-TTLS( an extension of EAP), which requires Certs installed on each
terminal( PC, Andriod, etc). 2. EAP-mschapv2( sometimes called
PEAP-MSCHAPV2).
No. EAP-MSCHAPv2 is not PEAP. PEAP is an EAP method that uses TLS *and* EAP-MSCHAPv2.
Post by luckydog xf
Both of them are running inner layer of EAP, an alias is PEAP.
No.
Post by luckydog xf
Correct me if I am wrong.
Most of that was wrong.

There is documentation on Wikipedia that describes EAP, and the various EAP methods. It should help clarify this.

Alan DeKok.


-
List info/subscribe/unsub

Loading...