Le 2016-08-08 11:34, Matthew Newton a écrit :
On Fri, Aug 05, 2016 at 11:33:04AM +0200, Thomas Massip wrote:
In my case, I want authorize acces network only if Machine AND user auth are Ok, actually my machine auth fail but my user succed and he can acces to network. I search but i dont find tutorial for implement this restriction access, so if u have some tutorials or other link for help :D
Theoretically, you could use PEAP with client certificates. In practice, you can't.
Thanks for the answer, I found some documentation who tel me to authenticate machine first, and when she is authenticate I can made a User auth and attribute him the good vlan. Is it possible ?
The Windows supplicant will let you use "machine auth" or "user auth", but not both at the same time.
Hmm Can you explain me, because I Chose EAP-PEAP MSCHAPv2 on my client Windows7, I receive request from my client machine (TESTPC-THOMAS), but this fail with that: eap_mschapv2: Auth-Type MS-CHAP { Mon Aug 8 11:53:08 2016 : Debug: (31) eap_mschapv2: modsingle[authenticate]: calling mschap (rlm_mschap) for request 31 Mon Aug 8 11:53:08 2016 : Debug: (31) mschap: Found NT-Password Mon Aug 8 11:53:08 2016 : Debug: (31) mschap: Creating challenge hash with username: host/TESTPC-THOMAS Mon Aug 8 11:53:08 2016 : Debug: (31) mschap: Client is using MS-CHAPv2 Mon Aug 8 11:53:08 2016 : ERROR: (31) mschap: MS-CHAP2-Response is incorrect Mon Aug 8 11:53:08 2016 : Debug: (31) modsingle[authenticate]: returned from mschap (rlm_mschap) for request 31 Mon Aug 8 11:53:08 2016 : Debug: (31) [mschap] = reject Mon Aug 8 11:53:08 2016 : Debug: (31) } # Auth-Type MS-CHAP = reject I try something, I can get same error when my password User is wrong, so I think the Machine dont send the same password stock in ldap, but how can I know what is the password send by the comptuer account ? (I know this is maybe out sugbject cause not radius but if u have some idea) Regards, Thomas