Thanks for your help. We want two authorization in the same times, for example, to ensure that user not used his iPhone with his DOMAIN/UserName account. Mac Authorization is not a good way for us ( Too restrictive to keep up to date ) Authorization by certificat too because we have a lot of hosts which doesn't support that. Nicolas CLO. -----Original Message----- nicolas.clo@ricoh-industrie.fr wrote:
Is it possible to verify host with mschapv2
That question has a number of unstated assumptions. Those assumptions are wrong. Does the *host* provide mschapv2 authentication data? No. Therefore, the host can't be verified with mschapv2.
and if the module return ok proceed to username verfication with the same module ?
You're asking for mschapv2 to authenticate two different identities at the same time. It doesn't do that. What do you really want to do? Your question assumes a particular view of things. That view is wrong, so we can't help you. If you describe what you have and what you want to do, we may be able to come up with a different approach that meets your needs. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __________________________________________________________________________ Nicolas CLO Industrial and Network Technician ITS Section RICOH INDUSTRIE FRANCE SAS 144, route de Rouffach, 68920 WETTOLSHEIM Tel: +33 (0) 3 89 20 48 84 nicolas.clo@ricoh-industrie.fr | www.ricoh-thermal.com
nicolas.clo@ricoh-industrie.fr wrote:
We want two authorization in the same times, for example, to ensure that user not used his iPhone with his DOMAIN/UserName account.
That is fairly vague. You're working with computers. Be specific. WHAT is in an Access-Request when they login using a desktop? WHAT is in an Access-Request when they login using their phone? HOW are the two requests different? Once you know that, it should be easy to create rules which can distinguish one from the other. And then apply different rules to each one.
Mac Authorization is not a good way for us ( Too restrictive to keep up to date ) Authorization by certificat too because we have a lot of hosts which doesn't support that.
You're limited by what is in the Access-Request. If the only difference between a desktop and iPhone is a MAC address, too bad. Computers aren't magic. My guess is that the only thing which will really work is MAC address filtering. I'd suggest finding a way to make it manageable. Alan DeKok.
Ok thanks for the reply. I'm now sure that the best way for us is MAC Address filtering. Have a good day. Nicolas CLO -----------------------------------------------------------Original mail----------------------------------------------------------- nicolas.clo@ricoh-industrie.fr wrote:
We want two authorization in the same times, for example, to ensure that user not used his iPhone with his DOMAIN/UserName account.
That is fairly vague. You're working with computers. Be specific. WHAT is in an Access-Request when they login using a desktop? WHAT is in an Access-Request when they login using their phone? HOW are the two requests different? Once you know that, it should be easy to create rules which can distinguish one from the other. And then apply different rules to each one.
Mac Authorization is not a good way for us ( Too restrictive to keep up to date ) Authorization by certificat too because we have a lot of hosts which doesn't support that.
You're limited by what is in the Access-Request. If the only difference between a desktop and iPhone is a MAC address, too bad. Computers aren't magic. My guess is that the only thing which will really work is MAC address filtering. I'd suggest finding a way to make it manageable. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
I'm now sure that the best way for us is MAC Address filtering.
thats a way of doing the 'host' part. the user can then be authenticated by an EAP method. ie authorization stage can check the calling-station-id (MAC address) and, if not known, just reject. then, if known carry on to the user authentication by 802.1X as already said, you have to know what you want and the technologies available alan
Hi, Yes, this is our actual configuration and it works very well, but I think that with the long run, a database that contains all MAC address can become very difficult to manage. But if it' s the only solution, I will make with. Thanks. Nicolas CLO Industrial and Network Technician ITS Section -----------------------------------------------Original mail------------------------------------------------------ Hi,
I'm now sure that the best way for us is MAC Address filtering.
thats a way of doing the 'host' part. the user can then be authenticated by an EAP method. ie authorization stage can check the calling-station-id (MAC address) and, if not known, just reject. then, if known carry on to the user authentication by 802.1X as already said, you have to know what you want and the technologies available alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 24/06/13 14:09, nicolas.clo@ricoh-industrie.fr wrote:
Thanks for your help.
We want two authorization in the same times, for example, to ensure that user not used his iPhone with his DOMAIN/UserName account.
Sorry, but that's not currently possible. No EAP method supports it. In theory EAP-TEAP might, but that's too new, and it's not clear if clients would support >1 auth anyway.
participants (4)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
nicolas.clo@ricoh-industrie.fr -
Phil Mayers