How I do to User/Machine Certificate + LDAP User/Pass Authentication?
Matthew Newton
mcn at freeradius.org
Tue Nov 24 14:02:42 CET 2020
On 24/11/2020 10:56, Coy Hile wrote:
>> On Nov 23, 2020, at 8:34 AM, Alan DeKok <aland at deployingradius.com> wrote:
>> Except that with a VPN, it *won't* do host authentication separately. It will only do user authentication. And you *might* get a MAC address or other machine identification. But likely not.
>
> Hmm, doesn’t that depend on the VPN client (and server for that matter)?
The original question said "Windows". It didn't specify what type of
auth. The assumption is WiFi, and Alan's answer is correct. But it's
still only based on an assumption as the question was vague.
> Is it possible to configure the server in such a way that it’d work like I described? That is, I guess, to require that multiple modules succeed, namely whatever does the cert verification and, say, ldap talking to the Directory?
Yes. But depending on what you want you're still going to be restricted
by the end user's setup, whether that's VPN, WiFi or anything else.
e.g. see
https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/raddb/mods-available/eap#L870-L882
There's nothing stopping you looking up some information you have
available in 20 different databases to make sure they are all OK. You
can always reject. But getting the client's supplicant to e.g. provide
both a certificate *and* username/password credentials is not possible
with most supplicants as they just don't support it.
--
Matthew
More information about the Freeradius-Users
mailing list