Auth machine AND user

Thomas Massip thomas.massip at e-tera.com
Mon Aug 8 12:05:19 CEST 2016 

Le 2016-08-08 11:34, Matthew Newton a écrit :
> On Fri, Aug 05, 2016 at 11:33:04AM +0200, Thomas Massip wrote:
>> In my case, I want authorize acces network only if Machine AND user 
>> auth are
>> Ok, actually my machine auth fail but my user succed and he can acces 
>> to
>> network. I search but i dont find tutorial for implement this 
>> restriction
>> access, so if u have some tutorials or other link for help :D
> 
> Theoretically, you could use PEAP with client certificates. In
> practice, you can't.
> 

Thanks for the answer,

I found some documentation who tel me to authenticate machine first, and 
when she is authenticate I can made a User auth and attribute him the 
good vlan. Is it possible ?


> The Windows supplicant will let you use "machine auth" or "user
> auth", but not both at the same time.

Hmm Can you explain me, because I Chose EAP-PEAP MSCHAPv2 on my client 
Windows7, I receive request from my client machine (TESTPC-THOMAS), but 
this fail with that:

eap_mschapv2:   Auth-Type MS-CHAP {
Mon Aug  8 11:53:08 2016 : Debug: (31) eap_mschapv2:     
modsingle[authenticate]: calling mschap (rlm_mschap) for request 31
Mon Aug  8 11:53:08 2016 : Debug: (31) mschap: Found NT-Password
Mon Aug  8 11:53:08 2016 : Debug: (31) mschap: Creating challenge hash 
with username: host/TESTPC-THOMAS
Mon Aug  8 11:53:08 2016 : Debug: (31) mschap: Client is using MS-CHAPv2
Mon Aug  8 11:53:08 2016 : ERROR: (31) mschap: MS-CHAP2-Response is 
incorrect
Mon Aug  8 11:53:08 2016 : Debug: (31)     modsingle[authenticate]: 
returned from mschap (rlm_mschap) for request 31
Mon Aug  8 11:53:08 2016 : Debug: (31)     [mschap] = reject
Mon Aug  8 11:53:08 2016 : Debug: (31)   } # Auth-Type MS-CHAP = reject

I try something, I can get same error when my password User is wrong, so 
I think the Machine dont send the same password stock in ldap, but how 
can I know what is the password send by the comptuer account ? (I know 
this is maybe out sugbject cause not radius but if u have some idea)

Regards,

Thomas

More information about the Freeradius-Users mailing list