Auth machine AND user

Thomas Massip thomas.massip at e-tera.com
Mon Aug 8 14:16:15 CEST 2016 

Le 2016-08-08 12:48, Matthew Newton a écrit :
> On Mon, Aug 08, 2016 at 12:05:19PM +0200, Thomas Massip wrote:
>> Le 2016-08-08 11:34, Matthew Newton a écrit :
>> >On Fri, Aug 05, 2016 at 11:33:04AM +0200, Thomas Massip wrote:
>> >>In my case, I want authorize acces network only if Machine AND
>> >>user auth are Ok, actually my machine auth fail but my user
>> >>succed and he can acces to
>> >
>> >Theoretically, you could use PEAP with client certificates. In
>> >practice, you can't.
>> 
>> I found some documentation who tel me to authenticate machine first, 
>> and
>> when she is authenticate I can made a User auth and attribute him the 
>> good
>> vlan. Is it possible ?
> 
> There is (or used to be) a setting in Windows where you could do
> machine auth at boot time, and then user auth after the login
> prompt.
> 
> But they are separate - you don't get the machine auth credentials
> at the same time as the user details.
> 

Yes Ok that what i mean i think, its call User auth OR Machine Auth.

> 
>> >The Windows supplicant will let you use "machine auth" or "user
>> >auth", but not both at the same time.
>> 
>> Hmm Can you explain me, because I Chose EAP-PEAP MSCHAPv2 on my client
>> Windows7, I receive request from my client machine (TESTPC-THOMAS), 
>> but this
>> fail with that:
>> 
>> eap_mschapv2:   Auth-Type MS-CHAP {
>> Mon Aug  8 11:53:08 2016 : Debug: (31) eap_mschapv2:
>> modsingle[authenticate]: calling mschap (rlm_mschap) for request 31
>> Mon Aug  8 11:53:08 2016 : Debug: (31) mschap: Found NT-Password
>> Mon Aug  8 11:53:08 2016 : Debug: (31) mschap: Creating challenge hash 
>> with
>> username: host/TESTPC-THOMAS
>> Mon Aug  8 11:53:08 2016 : Debug: (31) mschap: Client is using 
>> MS-CHAPv2
>> Mon Aug  8 11:53:08 2016 : ERROR: (31) mschap: MS-CHAP2-Response is
>> incorrect
>> Mon Aug  8 11:53:08 2016 : Debug: (31)     modsingle[authenticate]: 
>> returned
>> from mschap (rlm_mschap) for request 31
>> Mon Aug  8 11:53:08 2016 : Debug: (31)     [mschap] = reject
>> Mon Aug  8 11:53:08 2016 : Debug: (31)   } # Auth-Type MS-CHAP = 
>> reject
>> 
>> I try something, I can get same error when my password User is wrong, 
>> so I
>> think the Machine dont send the same password stock in ldap, but how 
>> can I
>> know what is the password send by the comptuer account ? (I know this 
>> is
>> maybe out sugbject cause not radius but if u have some idea)
> 
> I've only done machine auth with EAP-TLS. MSCHAPv2 isn't as
> secure. Can't help here I'm afraid; looks like the password is
> wrong.
> 

Ok, I try too to past by EAP-TLS, with User OR machine AUTH on windows, 
the user is good again, when I log somoene the Certificate is send and 
accept, but the machine isn't ok, when I start my computer nothing is 
send by the machine... My certificate are all ok and declare on libryra, 
on mmc, but the 'machine auth' really don't work because when I select 
only 'Machine auth' nothing happened.. Have u got one link or something 
else for help me for the machine auth?

-- 
Thomas MASSIP - Alternant Ingenieur réseau
SAEM e-tera
46 rue Sere de rivieres 81000 ALBI

email: thomas.massip at e-tera.com

More information about the Freeradius-Users mailing list