Auth machine AND user

Matthew Newton mcn4 at leicester.ac.uk
Mon Aug 8 12:48:36 CEST 2016 

On Mon, Aug 08, 2016 at 12:05:19PM +0200, Thomas Massip wrote:
> Le 2016-08-08 11:34, Matthew Newton a écrit :
> >On Fri, Aug 05, 2016 at 11:33:04AM +0200, Thomas Massip wrote:
> >>In my case, I want authorize acces network only if Machine AND
> >>user auth are Ok, actually my machine auth fail but my user
> >>succed and he can acces to
> >
> >Theoretically, you could use PEAP with client certificates. In
> >practice, you can't.
> 
> I found some documentation who tel me to authenticate machine first, and
> when she is authenticate I can made a User auth and attribute him the good
> vlan. Is it possible ?

There is (or used to be) a setting in Windows where you could do
machine auth at boot time, and then user auth after the login
prompt.

But they are separate - you don't get the machine auth credentials
at the same time as the user details.


> >The Windows supplicant will let you use "machine auth" or "user
> >auth", but not both at the same time.
> 
> Hmm Can you explain me, because I Chose EAP-PEAP MSCHAPv2 on my client
> Windows7, I receive request from my client machine (TESTPC-THOMAS), but this
> fail with that:
> 
> eap_mschapv2:   Auth-Type MS-CHAP {
> Mon Aug  8 11:53:08 2016 : Debug: (31) eap_mschapv2:
> modsingle[authenticate]: calling mschap (rlm_mschap) for request 31
> Mon Aug  8 11:53:08 2016 : Debug: (31) mschap: Found NT-Password
> Mon Aug  8 11:53:08 2016 : Debug: (31) mschap: Creating challenge hash with
> username: host/TESTPC-THOMAS
> Mon Aug  8 11:53:08 2016 : Debug: (31) mschap: Client is using MS-CHAPv2
> Mon Aug  8 11:53:08 2016 : ERROR: (31) mschap: MS-CHAP2-Response is
> incorrect
> Mon Aug  8 11:53:08 2016 : Debug: (31)     modsingle[authenticate]: returned
> from mschap (rlm_mschap) for request 31
> Mon Aug  8 11:53:08 2016 : Debug: (31)     [mschap] = reject
> Mon Aug  8 11:53:08 2016 : Debug: (31)   } # Auth-Type MS-CHAP = reject
> 
> I try something, I can get same error when my password User is wrong, so I
> think the Machine dont send the same password stock in ldap, but how can I
> know what is the password send by the comptuer account ? (I know this is
> maybe out sugbject cause not radius but if u have some idea)

I've only done machine auth with EAP-TLS. MSCHAPv2 isn't as
secure. Can't help here I'm afraid; looks like the password is
wrong.

Matthew


-- 
Matthew Newton, Ph.D. <mcn4 at leicester.ac.uk>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>

More information about the Freeradius-Users mailing list