Working on a data switch for PKI Smart Card authentication using RADIUS to provide Authentication and Authorization to the CLI. So not a PEAP, EAP, 802.1x type solution. Client Access with return attribute that provides Authorization to the device.
The user name is taken from the Subject of the x.509 Certificate and what we are missing is what needs to be sent via RADIUS PAP/CHAP/MS-CHAP is the password. I have seen a number of responses around the internet and here on TechNet. None answer the question. The certificate as the password is too big if NPS follows the RFC. Smallest size would 2k and the RFC only allows 128 characters. It would not be the private key, that would be something you should not be sharing and also too big. So what gets sent as the password to NPS? Is this even supported?
Note, RADIUS configuration was tested prior to activating smartcard authentication. Standard user name and password works just fine and provides RADIUS return attribute that enables authorization on the networking device.
Windows Server 2016 Data Center
Active Directory with SmartCard enabled on Users
NPS Installed and Configured to support RADIUS Client Authentication and Authorization
Third Party Data Networking device configured to use NPS as a RADIUS server for Authentication and Authorization.
