On 24/11/2020 10:56, Coy Hile wrote:
On Nov 23, 2020, at 8:34 AM, Alan DeKok <aland@deployingradius.com> wrote: Except that with a VPN, it *won't* do host authentication separately. It will only do user authentication. And you *might* get a MAC address or other machine identification. But likely not.
Hmm, doesn’t that depend on the VPN client (and server for that matter)?
The original question said "Windows". It didn't specify what type of auth. The assumption is WiFi, and Alan's answer is correct. But it's still only based on an assumption as the question was vague.
Is it possible to configure the server in such a way that it’d work like I described? That is, I guess, to require that multiple modules succeed, namely whatever does the cert verification and, say, ldap talking to the Directory?
Yes. But depending on what you want you're still going to be restricted by the end user's setup, whether that's VPN, WiFi or anything else. e.g. see https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/raddb/mods-avail... There's nothing stopping you looking up some information you have available in 20 different databases to make sure they are all OK. You can always reject. But getting the client's supplicant to e.g. provide both a certificate *and* username/password credentials is not possible with most supplicants as they just don't support it. -- Matthew