On Nov 22, 2020, at 8:55 AM, Alan DeKok <aland@deployingradius.com> wrote: On Nov 20, 2020, at 12:31 PM, Jose Ramón Arnau Garví via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote: The ide is some similar to 2fa: * First I authenticate with User/Machine Certificate * Next I want to Introduce User/Pass to Authenticate with ldap througt Active Directory Can Anyone help me Notes: * I can authenticate with User/Machine Certificate * I can authenticate with User/pass with ldapt througt Active Directory I can't authenticate with 2 simultaneously I'm not sure what you mean by "simultaneously". Can you do both of those authentications in the same virtual server? Yes. Read the debug output to see how they're different, and then key off of those differences. Can you make the user do machine certificate *and* password authentication in the same authentication session? No, because that's up to the client. And Windows doesn't do that. The way I read this, what he’s trying to do is a two-step authentication process: 1) Use the machine cert to verify that the user is coming from a trusted device. 2) After it’s verified that that the device is good to go, then determine who the user is and take appropriate action then. Does it not, then, depend on where the user is authenticating? If it’s a builtin windows thing (for, say, 802.1x or similar, one may be out of luck. But it might make sense in the context of, say, a VPN client to verify the source device is within policy before authenticating the end user. Or am I overthinking here? Me personally, so far all I use RADIUS for is to authenticate and authorize administrative sessions into network gear itself, so I don’t know how to do anything cute, and I don’t do more than just PAP. -- Coy Hile coy.hile@coyhile.com