Can you use TLS and Request users authentication as well

[Walter Reynolds]

Hi,

What I am trying to figure out is a way to not only have a certificate, 
but a secondary way to verify that that certificate is being used by a 
person we allow.  If we put cert onto a machine, we have authenticated 
that the cert was trusted.  The problem is coming from a university, we do 
not have a way to control a users machine.  So a user could take that 
certificate and put it onto a friends machine.  This friend may not be 
affiliated and should not have access.  So I would like to use the cert as 
machine authentication and then follow up with another (username/pass) 
using the KRB module.

Is this something that can be done?  Has anyone run into a similar problem 
and what did they do?  I know we could go TTLS and not have a machine 
cert, but then we get fears of man-in-the-middle.

Thanks.

-- Walter Reynolds
    University of Michigan