How I do to User/Machine Certificate + LDAP User/Pass Authentication?

Coy Hile Coy.Hile at
Sun Nov 22 17:59:30 CET 2020

     On Nov 22, 2020, at 8:55 AM, Alan DeKok <aland at>
     On Nov 20, 2020, at 12:31 PM, Jose Ramón Arnau Garví via
     Freeradius-Users <freeradius-users at> wrote:

     The ide is some similar to 2fa:
     *   First I authenticate with User/Machine Certificate
     *   Next I want to Introduce User/Pass to Authenticate with ldap
     througt Active Directory
     Can Anyone help me
     *   I can authenticate with User/Machine Certificate
     *   I can authenticate with User/pass with ldapt througt Active
     I can't authenticate with 2 simultaneously

     I'm not sure what you mean by "simultaneously".
     Can you do both of those authentications in the same virtual server?
      Yes.  Read the debug output to see how they're different, and then
     key off of those differences.
     Can you make the user do machine certificate *and* password
     authentication in the same authentication session?  No, because
     that's up to the client.  And Windows doesn't do that.

   The way I read this, what he’s trying to do is a two-step
   authentication process:
   1) Use the machine cert to verify that the user is coming from a
   trusted device.
   2) After it’s verified that that the device is good to go, then
   determine who the user is and take appropriate action then.
   Does it not, then, depend on where the user is authenticating? If it’s
   a builtin windows thing (for, say, 802.1x or similar, one may be out of
   luck.  But it might make sense in the context of, say, a VPN client to
   verify the source device is within policy before authenticating the end
   Or am I overthinking here? Me personally, so far all I use RADIUS for
   is to authenticate and authorize administrative sessions into network
   gear itself, so I don’t know how to do anything cute, and I don’t do
   more than just PAP.
   Coy Hile
   coy.hile at

More information about the Freeradius-Users mailing list