How I do to User/Machine Certificate + LDAP User/Pass Authentication?

Alan DeKok aland at
Mon Nov 23 14:34:08 CET 2020

On Nov 22, 2020, at 11:59 AM, Coy Hile <Coy.Hile at> wrote:
>   The way I read this, what he’s trying to do is a two-step
>   authentication process:

  I really wish people asked *clear* questions.  :(

>   1) Use the machine cert to verify that the user is coming from a
>   trusted device.
>   2) After it’s verified that that the device is good to go, then
>   determine who the user is and take appropriate action then.

  The issue is that for Windows, those are two separate authentications.  The host authenticates itself using host credentials.  *Not* user credentials.  At some random later time, the user may (or may not) authenticate himself using his own credentials.

  The only way to see that these are from the same machine is to compare machine MAC / NAS IP / port / etc.

  And, it all depends on how Windows works.  Which we don't control.  So this question really is "Can I make Windows do X?"  And the only answer is "I dunno.. .ask the Windows people".

>   Does it not, then, depend on where the user is authenticating? If it’s
>   a builtin windows thing (for, say, 802.1x or similar, one may be out of
>   luck.  But it might make sense in the context of, say, a VPN client to
>   verify the source device is within policy before authenticating the end
>   user.

  Except that with a VPN, it *won't* do host authentication separately.  It will only do user authentication.  And you *might* get a MAC address or other machine identification.  But likely not.

  Alan DeKok.

More information about the Freeradius-Users mailing list