On Tue, Apr 18, 2006 at 01:07:10PM -0400, Alan DeKok wrote:
i have a similar situation
i want to use "two factor authentication"
- one certificate (not exportable) installed by Office Automation
Deparment
- active directory login/passwd
so if you do not have the certificate, you are not allowed to log in
althought you know a valid AD login/pass
and you are not allowed to log in only with a valid certificate, you
must need a valid AD login/pass
i have configured eap-peap and i have added the DEFAULT
EAP-TLS-Require-Client-Cert := Yes in the users file
but i do not know how to force windows 2000 and windows xp to send the
client certificate during a peap authentication, maybe a regedit change ...
i know that it is not a "radius" problem, but i would be very pleasant
if someone can help me how to do it
if i find the solution i will share it to the list members
best regards
alfonso
> Walter Reynolds <[EMAIL PROTECTED]> wrote:
> > What I am trying to figure out is a way to not only have a certificate,
> > but a secondary way to verify that that certificate is being used by a
> > person we allow.
>
> Passwords.
>
> > Is this something that can be done? Has anyone run into a similar problem
> > and what did they do? I know we could go TTLS and not have a machine
> > cert, but then we get fears of man-in-the-middle.
>
> I would suggest a self-signed server cert, and a client certificate.
> You can use EAP-TLS-Require-Client-Cert to force a particular session
> to require a client cert. This works for TTLS, too.
>
> The server will then verify that the client cert is signed by the
> cert it has, which should prevent man in the middle attacks.
>
> Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
