Am Dienstag, 6. September 2016, 10:26:07 schrieben Sie:
On Tue, Sep 06, 2016 at 09:03:14AM +0200, Michael Schwartzkopff wrote:
this might be a little bit off topic, but perhaps someone can help here.
A little.
I want to set up 802.1x for windows systems. In windows 7 an higher, is it possible to use certificates for the client authentication if no user is logged in, but passwords for the user authentication?
For Windows 7 at least, you can use
"user authentication" which is either with certificates (EAP-TLS) or username/password (PEAP/MSCHAPv2).
or
"machine authentication" which usually uses certificates (EAP-TLS), but I believe can auth with the username and password of the computer's AD account with MSCHAPv2.
You can't use both at the same time (e.g. PEAP/MSCHAPv2 with the "machine" certificate sent as a client certificate in PEAP and the user's password sent in the MSCHAPv2 part) because Windows won't let you send a client certificate as part of PEAP, even though it's technically allowed. EAP-TLS is certificate only.
There is an option somewhere that lets you use "machine" authentication at boot time, and then to re-authenticate using the user's credentials when they log in to Windows, but I forget where it is now. This sounds like it's what you want.
Yes. Thats is what I was looking for. But it seems I have to set it up in my lab to test it. (...)
FreeRADIUS can handle all of the above.
I know :-) Mit freundlichen Grüßen, Michael Schwartzkopff -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044 Schleißheimer Straße 26/MG, 80333 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein