On Mon, Aug 08, 2016 at 12:05:19PM +0200, Thomas Massip wrote:
Le 2016-08-08 11:34, Matthew Newton a écrit :
On Fri, Aug 05, 2016 at 11:33:04AM +0200, Thomas Massip wrote:
In my case, I want authorize acces network only if Machine AND user auth are Ok, actually my machine auth fail but my user succed and he can acces to
Theoretically, you could use PEAP with client certificates. In practice, you can't.
I found some documentation who tel me to authenticate machine first, and when she is authenticate I can made a User auth and attribute him the good vlan. Is it possible ?
There is (or used to be) a setting in Windows where you could do machine auth at boot time, and then user auth after the login prompt. But they are separate - you don't get the machine auth credentials at the same time as the user details.
The Windows supplicant will let you use "machine auth" or "user auth", but not both at the same time.
Hmm Can you explain me, because I Chose EAP-PEAP MSCHAPv2 on my client Windows7, I receive request from my client machine (TESTPC-THOMAS), but this fail with that:
eap_mschapv2: Auth-Type MS-CHAP { Mon Aug 8 11:53:08 2016 : Debug: (31) eap_mschapv2: modsingle[authenticate]: calling mschap (rlm_mschap) for request 31 Mon Aug 8 11:53:08 2016 : Debug: (31) mschap: Found NT-Password Mon Aug 8 11:53:08 2016 : Debug: (31) mschap: Creating challenge hash with username: host/TESTPC-THOMAS Mon Aug 8 11:53:08 2016 : Debug: (31) mschap: Client is using MS-CHAPv2 Mon Aug 8 11:53:08 2016 : ERROR: (31) mschap: MS-CHAP2-Response is incorrect Mon Aug 8 11:53:08 2016 : Debug: (31) modsingle[authenticate]: returned from mschap (rlm_mschap) for request 31 Mon Aug 8 11:53:08 2016 : Debug: (31) [mschap] = reject Mon Aug 8 11:53:08 2016 : Debug: (31) } # Auth-Type MS-CHAP = reject
I try something, I can get same error when my password User is wrong, so I think the Machine dont send the same password stock in ldap, but how can I know what is the password send by the comptuer account ? (I know this is maybe out sugbject cause not radius but if u have some idea)
I've only done machine auth with EAP-TLS. MSCHAPv2 isn't as secure. Can't help here I'm afraid; looks like the password is wrong. Matthew -- Matthew Newton, Ph.D. <mcn4@leicester.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>