Hi, I want know if is it possible to create some rules on Freeradius for make a 'double' authentification. In my case, I want authorize acces network only if Machine AND user auth are Ok, actually my machine auth fail but my user succed and he can acces to network. I search but i dont find tutorial for implement this restriction access, so if u have some tutorials or other link for help :D And now, this is my error on Machine AUTH: I have freeradius-server 3.0.11 LDAP openldap-2.4.31 and Ubuntu Ubuntu 14.04.5 LTS When I start my Client Windows7, I have this error: eap_mschapv2: Auth-Type MS-CHAP { Fri Aug 5 10:41:57 2016 : Debug: (38) eap_mschapv2: modsingle[authenticate]: calling mschap (rlm_mschap) for request 38 Fri Aug 5 10:41:57 2016 : Debug: (38) mschap: Found NT-Password Fri Aug 5 10:41:57 2016 : Debug: (38) mschap: Creating challenge hash with username: host/TESTPC-THOMAS Fri Aug 5 10:41:57 2016 : Debug: (38) mschap: Client is using MS-CHAPv2 Fri Aug 5 10:41:57 2016 : ERROR: (38) mschap: MS-CHAP2-Response is incorrect Fri Aug 5 10:41:57 2016 : Debug: (38) modsingle[authenticate]: returned from mschap (rlm_mschap) for request 38 Fri Aug 5 10:41:57 2016 : Debug: (38) [mschap] = reject Fri Aug 5 10:41:57 2016 : Debug: (38) } # Auth-Type MS-CHAP = reject Thanks for ur help Regards, Thomas
On Fri, Aug 05, 2016 at 11:33:04AM +0200, Thomas Massip wrote:
In my case, I want authorize acces network only if Machine AND user auth are Ok, actually my machine auth fail but my user succed and he can acces to network. I search but i dont find tutorial for implement this restriction access, so if u have some tutorials or other link for help :D
Theoretically, you could use PEAP with client certificates. In practice, you can't.
When I start my Client Windows7, I have this error:
The Windows supplicant will let you use "machine auth" or "user auth", but not both at the same time. Matthew -- Matthew Newton, Ph.D. <mcn4@leicester.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
Le 2016-08-08 11:34, Matthew Newton a écrit :
On Fri, Aug 05, 2016 at 11:33:04AM +0200, Thomas Massip wrote:
In my case, I want authorize acces network only if Machine AND user auth are Ok, actually my machine auth fail but my user succed and he can acces to network. I search but i dont find tutorial for implement this restriction access, so if u have some tutorials or other link for help :D
Theoretically, you could use PEAP with client certificates. In practice, you can't.
Thanks for the answer, I found some documentation who tel me to authenticate machine first, and when she is authenticate I can made a User auth and attribute him the good vlan. Is it possible ?
The Windows supplicant will let you use "machine auth" or "user auth", but not both at the same time.
Hmm Can you explain me, because I Chose EAP-PEAP MSCHAPv2 on my client Windows7, I receive request from my client machine (TESTPC-THOMAS), but this fail with that: eap_mschapv2: Auth-Type MS-CHAP { Mon Aug 8 11:53:08 2016 : Debug: (31) eap_mschapv2: modsingle[authenticate]: calling mschap (rlm_mschap) for request 31 Mon Aug 8 11:53:08 2016 : Debug: (31) mschap: Found NT-Password Mon Aug 8 11:53:08 2016 : Debug: (31) mschap: Creating challenge hash with username: host/TESTPC-THOMAS Mon Aug 8 11:53:08 2016 : Debug: (31) mschap: Client is using MS-CHAPv2 Mon Aug 8 11:53:08 2016 : ERROR: (31) mschap: MS-CHAP2-Response is incorrect Mon Aug 8 11:53:08 2016 : Debug: (31) modsingle[authenticate]: returned from mschap (rlm_mschap) for request 31 Mon Aug 8 11:53:08 2016 : Debug: (31) [mschap] = reject Mon Aug 8 11:53:08 2016 : Debug: (31) } # Auth-Type MS-CHAP = reject I try something, I can get same error when my password User is wrong, so I think the Machine dont send the same password stock in ldap, but how can I know what is the password send by the comptuer account ? (I know this is maybe out sugbject cause not radius but if u have some idea) Regards, Thomas
On Mon, Aug 08, 2016 at 12:05:19PM +0200, Thomas Massip wrote:
Le 2016-08-08 11:34, Matthew Newton a écrit :
On Fri, Aug 05, 2016 at 11:33:04AM +0200, Thomas Massip wrote:
In my case, I want authorize acces network only if Machine AND user auth are Ok, actually my machine auth fail but my user succed and he can acces to
Theoretically, you could use PEAP with client certificates. In practice, you can't.
I found some documentation who tel me to authenticate machine first, and when she is authenticate I can made a User auth and attribute him the good vlan. Is it possible ?
There is (or used to be) a setting in Windows where you could do machine auth at boot time, and then user auth after the login prompt. But they are separate - you don't get the machine auth credentials at the same time as the user details.
The Windows supplicant will let you use "machine auth" or "user auth", but not both at the same time.
Hmm Can you explain me, because I Chose EAP-PEAP MSCHAPv2 on my client Windows7, I receive request from my client machine (TESTPC-THOMAS), but this fail with that:
eap_mschapv2: Auth-Type MS-CHAP { Mon Aug 8 11:53:08 2016 : Debug: (31) eap_mschapv2: modsingle[authenticate]: calling mschap (rlm_mschap) for request 31 Mon Aug 8 11:53:08 2016 : Debug: (31) mschap: Found NT-Password Mon Aug 8 11:53:08 2016 : Debug: (31) mschap: Creating challenge hash with username: host/TESTPC-THOMAS Mon Aug 8 11:53:08 2016 : Debug: (31) mschap: Client is using MS-CHAPv2 Mon Aug 8 11:53:08 2016 : ERROR: (31) mschap: MS-CHAP2-Response is incorrect Mon Aug 8 11:53:08 2016 : Debug: (31) modsingle[authenticate]: returned from mschap (rlm_mschap) for request 31 Mon Aug 8 11:53:08 2016 : Debug: (31) [mschap] = reject Mon Aug 8 11:53:08 2016 : Debug: (31) } # Auth-Type MS-CHAP = reject
I try something, I can get same error when my password User is wrong, so I think the Machine dont send the same password stock in ldap, but how can I know what is the password send by the comptuer account ? (I know this is maybe out sugbject cause not radius but if u have some idea)
I've only done machine auth with EAP-TLS. MSCHAPv2 isn't as secure. Can't help here I'm afraid; looks like the password is wrong. Matthew -- Matthew Newton, Ph.D. <mcn4@leicester.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
Le 2016-08-08 12:48, Matthew Newton a écrit :
On Mon, Aug 08, 2016 at 12:05:19PM +0200, Thomas Massip wrote:
Le 2016-08-08 11:34, Matthew Newton a écrit :
On Fri, Aug 05, 2016 at 11:33:04AM +0200, Thomas Massip wrote:
In my case, I want authorize acces network only if Machine AND user auth are Ok, actually my machine auth fail but my user succed and he can acces to
Theoretically, you could use PEAP with client certificates. In practice, you can't.
I found some documentation who tel me to authenticate machine first, and when she is authenticate I can made a User auth and attribute him the good vlan. Is it possible ?
There is (or used to be) a setting in Windows where you could do machine auth at boot time, and then user auth after the login prompt.
But they are separate - you don't get the machine auth credentials at the same time as the user details.
Yes Ok that what i mean i think, its call User auth OR Machine Auth.
The Windows supplicant will let you use "machine auth" or "user auth", but not both at the same time.
Hmm Can you explain me, because I Chose EAP-PEAP MSCHAPv2 on my client Windows7, I receive request from my client machine (TESTPC-THOMAS), but this fail with that:
eap_mschapv2: Auth-Type MS-CHAP { Mon Aug 8 11:53:08 2016 : Debug: (31) eap_mschapv2: modsingle[authenticate]: calling mschap (rlm_mschap) for request 31 Mon Aug 8 11:53:08 2016 : Debug: (31) mschap: Found NT-Password Mon Aug 8 11:53:08 2016 : Debug: (31) mschap: Creating challenge hash with username: host/TESTPC-THOMAS Mon Aug 8 11:53:08 2016 : Debug: (31) mschap: Client is using MS-CHAPv2 Mon Aug 8 11:53:08 2016 : ERROR: (31) mschap: MS-CHAP2-Response is incorrect Mon Aug 8 11:53:08 2016 : Debug: (31) modsingle[authenticate]: returned from mschap (rlm_mschap) for request 31 Mon Aug 8 11:53:08 2016 : Debug: (31) [mschap] = reject Mon Aug 8 11:53:08 2016 : Debug: (31) } # Auth-Type MS-CHAP = reject
I try something, I can get same error when my password User is wrong, so I think the Machine dont send the same password stock in ldap, but how can I know what is the password send by the comptuer account ? (I know this is maybe out sugbject cause not radius but if u have some idea)
I've only done machine auth with EAP-TLS. MSCHAPv2 isn't as secure. Can't help here I'm afraid; looks like the password is wrong.
Ok, I try too to past by EAP-TLS, with User OR machine AUTH on windows, the user is good again, when I log somoene the Certificate is send and accept, but the machine isn't ok, when I start my computer nothing is send by the machine... My certificate are all ok and declare on libryra, on mmc, but the 'machine auth' really don't work because when I select only 'Machine auth' nothing happened.. Have u got one link or something else for help me for the machine auth? -- Thomas MASSIP - Alternant Ingenieur réseau SAEM e-tera 46 rue Sere de rivieres 81000 ALBI email: thomas.massip@e-tera.com
Hi,
Yes Ok that what i mean i think, its call User auth OR Machine Auth.
Windows doesnt do machine auth and user auth in one step.... its 2 seperate processes..... so you need to define policies that handle this eg machine auth? drop onto machine auth'd VLAN user auth? drop onto the final okay user auth'd VLAN each VLAN having its own required policies. if machine auth isnt working then you need to look at full debug logs to see what is occurring and why its not working... machine auths are of form host\machineid.domain if its not that form, then its a local user system account being used...and that password is whatever is set on the system locally, not in AD/LDAP. alan
participants (3)
-
A.L.M.Buxey@lboro.ac.uk -
Matthew Newton -
Thomas Massip