How I do to User/Machine Certificate + LDAP User/Pass Authentication?

Matthew Newton mcn at
Tue Nov 24 14:02:42 CET 2020

On 24/11/2020 10:56, Coy Hile wrote:
>> On Nov 23, 2020, at 8:34 AM, Alan DeKok <aland at> wrote:
>>   Except that with a VPN, it *won't* do host authentication separately.  It will only do user authentication.  And you *might* get a MAC address or other machine identification.  But likely not.
> Hmm, doesn’t that depend on the VPN client (and server for that matter)?

The original question said "Windows". It didn't specify what type of 
auth. The assumption is WiFi, and Alan's answer is correct. But it's 
still only based on an assumption as the question was vague.

> Is it possible to configure the server in such a way that it’d work like I described? That is, I guess, to require that multiple modules succeed, namely whatever does the cert verification and, say, ldap talking to the Directory?

Yes. But depending on what you want you're still going to be restricted 
by the end user's setup, whether that's VPN, WiFi or anything else.

e.g. see

There's nothing stopping you looking up some information you have 
available in 20 different databases to make sure they are all OK. You 
can always reject. But getting the client's supplicant to e.g. provide 
both a certificate *and* username/password credentials is not possible 
with most supplicants as they just don't support it.


More information about the Freeradius-Users mailing list