How I do to User/Machine Certificate + LDAP User/Pass Authentication?
Coy Hile
Coy.Hile at coyhile.com
Sun Nov 22 17:59:30 CET 2020
On Nov 22, 2020, at 8:55 AM, Alan DeKok <aland at deployingradius.com>
wrote:
On Nov 20, 2020, at 12:31 PM, Jose Ramón Arnau Garví via
Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
The ide is some similar to 2fa:
* First I authenticate with User/Machine Certificate
* Next I want to Introduce User/Pass to Authenticate with ldap
througt Active Directory
Can Anyone help me
Notes:
* I can authenticate with User/Machine Certificate
* I can authenticate with User/pass with ldapt througt Active
Directory
I can't authenticate with 2 simultaneously
I'm not sure what you mean by "simultaneously".
Can you do both of those authentications in the same virtual server?
Yes. Read the debug output to see how they're different, and then
key off of those differences.
Can you make the user do machine certificate *and* password
authentication in the same authentication session? No, because
that's up to the client. And Windows doesn't do that.
The way I read this, what he’s trying to do is a two-step
authentication process:
1) Use the machine cert to verify that the user is coming from a
trusted device.
2) After it’s verified that that the device is good to go, then
determine who the user is and take appropriate action then.
Does it not, then, depend on where the user is authenticating? If it’s
a builtin windows thing (for, say, 802.1x or similar, one may be out of
luck. But it might make sense in the context of, say, a VPN client to
verify the source device is within policy before authenticating the end
user.
Or am I overthinking here? Me personally, so far all I use RADIUS for
is to authenticate and authorize administrative sessions into network
gear itself, so I don’t know how to do anything cute, and I don’t do
more than just PAP.
--
Coy Hile
coy.hile at coyhile.com
More information about the Freeradius-Users
mailing list