How I do to User/Machine Certificate + LDAP User/Pass Authentication?
The ide is some similar to 2fa: * First I authenticate with User/Machine Certificate * Next I want to Introduce User/Pass to Authenticate with ldap througt Active Directory Can Anyone help me Notes: * I can authenticate with User/Machine Certificate * I can authenticate with User/pass with ldapt througt Active Directory I can't authenticate with 2 simultaneously Saludos. Jose Ramón Arnau Garví Administrador de Sistemas Área de Tecnologías de la Información jarnau@grupogimeno.com<mailto:jarnau@grupogimeno.com> [Skype Empleado]<sip:jarnau@grupogimeno.com> [Logo Empresa] Avda. del Mar 51 bajo C.P.: 12003 - Castellón Tel.: 964 727 101<tel:964%20727%20101> www.grupogimeno.com<http://www.grupogimeno.com> [Linkedin Empresa]<https://es.linkedin.com/company/grupogimeno> [Logo Division]
On Nov 20, 2020, at 12:31 PM, Jose Ramón Arnau Garví via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
The ide is some similar to 2fa:
* First I authenticate with User/Machine Certificate * Next I want to Introduce User/Pass to Authenticate with ldap througt Active Directory
Can Anyone help me
Notes:
* I can authenticate with User/Machine Certificate * I can authenticate with User/pass with ldapt througt Active Directory
I can't authenticate with 2 simultaneously
I'm not sure what you mean by "simultaneously". Can you do both of those authentications in the same virtual server? Yes. Read the debug output to see how they're different, and then key off of those differences. Can you make the user do machine certificate *and* password authentication in the same authentication session? No, because that's up to the client. And Windows doesn't do that. Alan DeKok.
On Nov 22, 2020, at 8:55 AM, Alan DeKok <aland@deployingradius.com> wrote: On Nov 20, 2020, at 12:31 PM, Jose Ramón Arnau Garví via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote: The ide is some similar to 2fa: * First I authenticate with User/Machine Certificate * Next I want to Introduce User/Pass to Authenticate with ldap througt Active Directory Can Anyone help me Notes: * I can authenticate with User/Machine Certificate * I can authenticate with User/pass with ldapt througt Active Directory I can't authenticate with 2 simultaneously I'm not sure what you mean by "simultaneously". Can you do both of those authentications in the same virtual server? Yes. Read the debug output to see how they're different, and then key off of those differences. Can you make the user do machine certificate *and* password authentication in the same authentication session? No, because that's up to the client. And Windows doesn't do that. The way I read this, what he’s trying to do is a two-step authentication process: 1) Use the machine cert to verify that the user is coming from a trusted device. 2) After it’s verified that that the device is good to go, then determine who the user is and take appropriate action then. Does it not, then, depend on where the user is authenticating? If it’s a builtin windows thing (for, say, 802.1x or similar, one may be out of luck. But it might make sense in the context of, say, a VPN client to verify the source device is within policy before authenticating the end user. Or am I overthinking here? Me personally, so far all I use RADIUS for is to authenticate and authorize administrative sessions into network gear itself, so I don’t know how to do anything cute, and I don’t do more than just PAP. -- Coy Hile coy.hile@coyhile.com
On Nov 22, 2020, at 11:59 AM, Coy Hile <Coy.Hile@coyhile.com> wrote:
The way I read this, what he’s trying to do is a two-step authentication process:
I really wish people asked *clear* questions. :(
1) Use the machine cert to verify that the user is coming from a trusted device. 2) After it’s verified that that the device is good to go, then determine who the user is and take appropriate action then.
The issue is that for Windows, those are two separate authentications. The host authenticates itself using host credentials. *Not* user credentials. At some random later time, the user may (or may not) authenticate himself using his own credentials. The only way to see that these are from the same machine is to compare machine MAC / NAS IP / port / etc. And, it all depends on how Windows works. Which we don't control. So this question really is "Can I make Windows do X?" And the only answer is "I dunno.. .ask the Windows people".
Does it not, then, depend on where the user is authenticating? If it’s a builtin windows thing (for, say, 802.1x or similar, one may be out of luck. But it might make sense in the context of, say, a VPN client to verify the source device is within policy before authenticating the end user.
Except that with a VPN, it *won't* do host authentication separately. It will only do user authentication. And you *might* get a MAC address or other machine identification. But likely not. Alan DeKok.
On Nov 23, 2020, at 8:34 AM, Alan DeKok <aland@deployingradius.com> wrote:
Does it not, then, depend on where the user is authenticating? If it’s a builtin windows thing (for, say, 802.1x or similar, one may be out of luck. But it might make sense in the context of, say, a VPN client to verify the source device is within policy before authenticating the end user.
Except that with a VPN, it *won't* do host authentication separately. It will only do user authentication. And you *might* get a MAC address or other machine identification. But likely not.
Hmm, doesn’t that depend on the VPN client (and server for that matter)? But that may be getting off into the weeds and unrelated to FreeRADIUS. So, to bring this back to a RADIUS-centric discussion. Assume the VPN client sends the concentrator both a machine certificate and the user’s credentials. Is it possible to configure the server in such a way that it’d work like I described? That is, I guess, to require that multiple modules succeed, namely whatever does the cert verification and, say, ldap talking to the Directory? Like I said, as long as I’ve been on this list, most of the content is orthogonal to my existing use case (that of authenticating and authorizing administrative sessions to network gear). So, I’m trying to learn more about the meat and potatoes, as it were. Thanks, -- Coy Hile coy.hile@coyhile.com
On 24/11/2020 10:56, Coy Hile wrote:
On Nov 23, 2020, at 8:34 AM, Alan DeKok <aland@deployingradius.com> wrote: Except that with a VPN, it *won't* do host authentication separately. It will only do user authentication. And you *might* get a MAC address or other machine identification. But likely not.
Hmm, doesn’t that depend on the VPN client (and server for that matter)?
The original question said "Windows". It didn't specify what type of auth. The assumption is WiFi, and Alan's answer is correct. But it's still only based on an assumption as the question was vague.
Is it possible to configure the server in such a way that it’d work like I described? That is, I guess, to require that multiple modules succeed, namely whatever does the cert verification and, say, ldap talking to the Directory?
Yes. But depending on what you want you're still going to be restricted by the end user's setup, whether that's VPN, WiFi or anything else. e.g. see https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/raddb/mods-avail... There's nothing stopping you looking up some information you have available in 20 different databases to make sure they are all OK. You can always reject. But getting the client's supplicant to e.g. provide both a certificate *and* username/password credentials is not possible with most supplicants as they just don't support it. -- Matthew
participants (4)
-
Alan DeKok -
Coy Hile -
Jose Ramón Arnau Garví -
Matthew Newton