2015-12-26 20:54 GMT+01:00 Alan DeKok <aland@deployingradius.com>:
On Dec 26, 2015, at 1:03 PM, Lukas Haase <lukashaase@gmx.at> wrote:
1.) Client presents a certificate signed by the CA -> authentication should succeed ("machine authentication").
Stop calling it "machine authentication". Part of becoming familiar with the topic is that you *don't* use the wrong terminology.
Get the idea of "machine authentication" out of your head. Just stop it. It's unhelpful, confusing, and wastes everyones time.
It isn't wrong terminology. Windows (XP -> 10) uses this. One can chose between machine and user authentication. The difference between both is: Machine auth happens BEFORE a user logs into Windows. User auth happens AFTER a user logged into Windows. One actually could use two certificates, one for the machine (is the machine allowed to access the network? If yes into which VLAN should we put it?) and one for the user (is the user allowed to access the network?). Using both you could do machine auth first and get the machine put into VLAN 1 to get DHCP stuff and access to eg. Active directory (which is required for user auth). Then you can do user auth and put the machine into the VLAN the user actually belongs to. This way no one could BYOD which may be infected / insecure. Additionally one could block inexperienced users from using administrative computers. The problem is this only works with an Active Directory / Primary Domain Controller, thus you need Microsoft Windows Server. It doesn't work with Samba or whatever else. Correct however is that from the FR point of view both authentications look "the same". It just Windows making a (beneficial) difference I wish every OS would do.