Freeradius authentication with SSL client certificates

classic Classic list List threaded Threaded
5 messages Options
| Threaded
Open this post in threaded view
|

Freeradius authentication with SSL client certificates

Tom Yard
Hi people, I wanto to implement a Freeradius authentication scheme, using
server and client SSL certificates: every client that require WiFI access
has to have a valid SSL certificate.

I think I have to use:

Authetication methos: EAP-TLS
Authentication protocol with NTLM: MSCHAP or MSCHAPv2

My clients are Windows, Linux and maybe Android.

Is my proposal correct ?

Thanking in advance.

Tommy
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Freeradius authentication with SSL client certificates

arr2036


> On Nov 26, 2018, at 3:06 PM, Tom Yard <[hidden email]> wrote:
>
> Hi people, I wanto to implement a Freeradius authentication scheme, using
> server and client SSL certificates: every client that require WiFI access
> has to have a valid SSL certificate.
>
> I think I have to use:
>
> Authetication methos: EAP-TLS
> Authentication protocol with NTLM: MSCHAP or MSCHAPv2
>
> My clients are Windows, Linux and maybe Android.
>
> Is my proposal correct ?

EAP-TLS can't carry and inner method, so not really.  You can use EAP-TTLS with a client cert (so it behaves like EAP-TLS), and then run EAP-MSCHAPv2 as the inner method to do NTLM.


-Arran
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Freeradius authentication with SSL client certificates

Matthew Newton-3
In reply to this post by Tom Yard
On Mon, 2018-11-26 at 12:06 -0300, Tom Yard wrote:
> Hi people, I wanto to implement a Freeradius authentication scheme,
> using
> server and client SSL certificates: every client that require WiFI
> access
> has to have a valid SSL certificate.

If this is the _only_ requirement (i.e. that the client needs a cert to
authenticate) then you just need EAP-TLS.

--
Matthew

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Freeradius authentication with SSL client certificates

luckydog xf
For wifi authentication, only two method are usable,

1. EAP-TTLS( an extension of EAP), which requires Certs installed on each
terminal( PC, Andriod, etc). 2.  EAP-mschapv2( sometimes called
PEAP-MSCHAPV2).

Both of them are running inner layer of EAP,  an alias is PEAP.

Correct me if I am wrong.

On Tue, Nov 27, 2018 at 1:21 AM Matthew Newton <[hidden email]> wrote:

> On Mon, 2018-11-26 at 12:06 -0300, Tom Yard wrote:
> > Hi people, I wanto to implement a Freeradius authentication scheme,
> > using
> > server and client SSL certificates: every client that require WiFI
> > access
> > has to have a valid SSL certificate.
>
> If this is the _only_ requirement (i.e. that the client needs a cert to
> authenticate) then you just need EAP-TLS.
>
> --
> Matthew
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Freeradius authentication with SSL client certificates

Alan DeKok-2
On Nov 26, 2018, at 7:23 PM, luckydog xf <[hidden email]> wrote:
>
> For wifi authentication, only two method are usable,

  No.

> 1. EAP-TTLS( an extension of EAP), which requires Certs installed on each
> terminal( PC, Andriod, etc). 2.  EAP-mschapv2( sometimes called
> PEAP-MSCHAPV2).


  No. EAP-MSCHAPv2 is not PEAP.  PEAP is an EAP method that uses TLS *and* EAP-MSCHAPv2.

> Both of them are running inner layer of EAP,  an alias is PEAP.

  No.

> Correct me if I am wrong.

  Most of that was wrong.

  There is documentation on Wikipedia that describes EAP, and the various EAP methods.  It should help clarify this.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html