Le 2016-08-08 12:48, Matthew Newton a écrit :
On Mon, Aug 08, 2016 at 12:05:19PM +0200, Thomas Massip wrote:
Le 2016-08-08 11:34, Matthew Newton a écrit :
On Fri, Aug 05, 2016 at 11:33:04AM +0200, Thomas Massip wrote:
In my case, I want authorize acces network only if Machine AND user auth are Ok, actually my machine auth fail but my user succed and he can acces to
Theoretically, you could use PEAP with client certificates. In practice, you can't.
I found some documentation who tel me to authenticate machine first, and when she is authenticate I can made a User auth and attribute him the good vlan. Is it possible ?
There is (or used to be) a setting in Windows where you could do machine auth at boot time, and then user auth after the login prompt.
But they are separate - you don't get the machine auth credentials at the same time as the user details.
Yes Ok that what i mean i think, its call User auth OR Machine Auth.
The Windows supplicant will let you use "machine auth" or "user auth", but not both at the same time.
Hmm Can you explain me, because I Chose EAP-PEAP MSCHAPv2 on my client Windows7, I receive request from my client machine (TESTPC-THOMAS), but this fail with that:
eap_mschapv2: Auth-Type MS-CHAP { Mon Aug 8 11:53:08 2016 : Debug: (31) eap_mschapv2: modsingle[authenticate]: calling mschap (rlm_mschap) for request 31 Mon Aug 8 11:53:08 2016 : Debug: (31) mschap: Found NT-Password Mon Aug 8 11:53:08 2016 : Debug: (31) mschap: Creating challenge hash with username: host/TESTPC-THOMAS Mon Aug 8 11:53:08 2016 : Debug: (31) mschap: Client is using MS-CHAPv2 Mon Aug 8 11:53:08 2016 : ERROR: (31) mschap: MS-CHAP2-Response is incorrect Mon Aug 8 11:53:08 2016 : Debug: (31) modsingle[authenticate]: returned from mschap (rlm_mschap) for request 31 Mon Aug 8 11:53:08 2016 : Debug: (31) [mschap] = reject Mon Aug 8 11:53:08 2016 : Debug: (31) } # Auth-Type MS-CHAP = reject
I try something, I can get same error when my password User is wrong, so I think the Machine dont send the same password stock in ldap, but how can I know what is the password send by the comptuer account ? (I know this is maybe out sugbject cause not radius but if u have some idea)
I've only done machine auth with EAP-TLS. MSCHAPv2 isn't as secure. Can't help here I'm afraid; looks like the password is wrong.
Ok, I try too to past by EAP-TLS, with User OR machine AUTH on windows, the user is good again, when I log somoene the Certificate is send and accept, but the machine isn't ok, when I start my computer nothing is send by the machine... My certificate are all ok and declare on libryra, on mmc, but the 'machine auth' really don't work because when I select only 'Machine auth' nothing happened.. Have u got one link or something else for help me for the machine auth? -- Thomas MASSIP - Alternant Ingenieur réseau SAEM e-tera 46 rue Sere de rivieres 81000 ALBI email: thomas.massip@e-tera.com