How I do to User/Machine Certificate + LDAP User/Pass Authentication?

classic Classic list List threaded Threaded
6 messages Options
| Threaded
Open this post in threaded view
|

How I do to User/Machine Certificate + LDAP User/Pass Authentication?

Users mailing list
The ide is some similar to 2fa:


  *   First I authenticate with User/Machine Certificate
  *   Next I want to Introduce User/Pass to Authenticate with ldap througt Active Directory

Can Anyone help me

Notes:

  *   I can authenticate with User/Machine Certificate
  *   I can authenticate with User/pass with ldapt througt Active Directory



I can't authenticate with 2 simultaneously

Saludos.
Jose Ramón Arnau Garví
Administrador de Sistemas
Área de Tecnologías de la Información
[hidden email]<mailto:[hidden email]>
[Skype Empleado]<sip:[hidden email]>
[Logo Empresa]

Avda. del Mar 51 bajo
C.P.: 12003 - Castellón
Tel.: 964 727 101<tel:964%20727%20101>
www.grupogimeno.com<http://www.grupogimeno.com>
[Linkedin Empresa]<https://es.linkedin.com/company/grupogimeno>
[Logo Division]



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

image001.png (674 bytes) Download Attachment
image002.png (1K) Download Attachment
image003.png (322 bytes) Download Attachment
image004.png (1K) Download Attachment
| Threaded
Open this post in threaded view
|

Re: How I do to User/Machine Certificate + LDAP User/Pass Authentication?

Alan DeKok-2
On Nov 20, 2020, at 12:31 PM, Jose Ramón Arnau Garví via Freeradius-Users <[hidden email]> wrote:

>
> The ide is some similar to 2fa:
>
>
>  *   First I authenticate with User/Machine Certificate
>  *   Next I want to Introduce User/Pass to Authenticate with ldap througt Active Directory
>
> Can Anyone help me
>
> Notes:
>
>  *   I can authenticate with User/Machine Certificate
>  *   I can authenticate with User/pass with ldapt througt Active Directory
>
> I can't authenticate with 2 simultaneously

  I'm not sure what you mean by "simultaneously".

 Can you do both of those authentications in the same virtual server?  Yes.  Read the debug output to see how they're different, and then key off of those differences.

 Can you make the user do machine certificate *and* password authentication in the same authentication session?  No, because that's up to the client.  And Windows doesn't do that.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: How I do to User/Machine Certificate + LDAP User/Pass Authentication?

Coy Hile
     On Nov 22, 2020, at 8:55 AM, Alan DeKok <[hidden email]>
     wrote:
     On Nov 20, 2020, at 12:31 PM, Jose Ramón Arnau Garví via
     Freeradius-Users <[hidden email]> wrote:

     The ide is some similar to 2fa:
     *   First I authenticate with User/Machine Certificate
     *   Next I want to Introduce User/Pass to Authenticate with ldap
     througt Active Directory
     Can Anyone help me
     Notes:
     *   I can authenticate with User/Machine Certificate
     *   I can authenticate with User/pass with ldapt througt Active
     Directory
     I can't authenticate with 2 simultaneously

     I'm not sure what you mean by "simultaneously".
     Can you do both of those authentications in the same virtual server?
      Yes.  Read the debug output to see how they're different, and then
     key off of those differences.
     Can you make the user do machine certificate *and* password
     authentication in the same authentication session?  No, because
     that's up to the client.  And Windows doesn't do that.

   The way I read this, what he’s trying to do is a two-step
   authentication process:
   1) Use the machine cert to verify that the user is coming from a
   trusted device.
   2) After it’s verified that that the device is good to go, then
   determine who the user is and take appropriate action then.
   Does it not, then, depend on where the user is authenticating? If it’s
   a builtin windows thing (for, say, 802.1x or similar, one may be out of
   luck.  But it might make sense in the context of, say, a VPN client to
   verify the source device is within policy before authenticating the end
   user.
   Or am I overthinking here? Me personally, so far all I use RADIUS for
   is to authenticate and authorize administrative sessions into network
   gear itself, so I don’t know how to do anything cute, and I don’t do
   more than just PAP.
   --
   Coy Hile
   [hidden email]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: How I do to User/Machine Certificate + LDAP User/Pass Authentication?

Alan DeKok-2
On Nov 22, 2020, at 11:59 AM, Coy Hile <[hidden email]> wrote:
>   The way I read this, what he’s trying to do is a two-step
>   authentication process:

  I really wish people asked *clear* questions.  :(

>   1) Use the machine cert to verify that the user is coming from a
>   trusted device.
>   2) After it’s verified that that the device is good to go, then
>   determine who the user is and take appropriate action then.

  The issue is that for Windows, those are two separate authentications.  The host authenticates itself using host credentials.  *Not* user credentials.  At some random later time, the user may (or may not) authenticate himself using his own credentials.

  The only way to see that these are from the same machine is to compare machine MAC / NAS IP / port / etc.

  And, it all depends on how Windows works.  Which we don't control.  So this question really is "Can I make Windows do X?"  And the only answer is "I dunno.. .ask the Windows people".

>   Does it not, then, depend on where the user is authenticating? If it’s
>   a builtin windows thing (for, say, 802.1x or similar, one may be out of
>   luck.  But it might make sense in the context of, say, a VPN client to
>   verify the source device is within policy before authenticating the end
>   user.

  Except that with a VPN, it *won't* do host authentication separately.  It will only do user authentication.  And you *might* get a MAC address or other machine identification.  But likely not.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: How I do to User/Machine Certificate + LDAP User/Pass Authentication?

Coy Hile


> On Nov 23, 2020, at 8:34 AM, Alan DeKok <[hidden email]> wrote:
>
>
>
>>  Does it not, then, depend on where the user is authenticating? If it’s
>>  a builtin windows thing (for, say, 802.1x or similar, one may be out of
>>  luck.  But it might make sense in the context of, say, a VPN client to
>>  verify the source device is within policy before authenticating the end
>>  user.
>
>  Except that with a VPN, it *won't* do host authentication separately.  It will only do user authentication.  And you *might* get a MAC address or other machine identification.  But likely not.
>

Hmm, doesn’t that depend on the VPN client (and server for that matter)? But that may be getting off into the weeds and unrelated to FreeRADIUS. So, to bring this back to a RADIUS-centric discussion. Assume the VPN client sends the concentrator both a machine certificate and the user’s credentials.

Is it possible to configure the server in such a way that it’d work like I described? That is, I guess, to require that multiple modules succeed, namely whatever does the cert verification and, say, ldap talking to the Directory?

Like I said, as long as I’ve been on this list, most of the content is orthogonal to my existing use case (that of authenticating and authorizing administrative sessions to network gear). So, I’m trying to learn more about the meat and potatoes, as it were.

Thanks,

--
Coy Hile
[hidden email]





-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: How I do to User/Machine Certificate + LDAP User/Pass Authentication?

Matthew Newton-3


On 24/11/2020 10:56, Coy Hile wrote:
>> On Nov 23, 2020, at 8:34 AM, Alan DeKok <[hidden email]> wrote:
>>   Except that with a VPN, it *won't* do host authentication separately.  It will only do user authentication.  And you *might* get a MAC address or other machine identification.  But likely not.
>
> Hmm, doesn’t that depend on the VPN client (and server for that matter)?

The original question said "Windows". It didn't specify what type of
auth. The assumption is WiFi, and Alan's answer is correct. But it's
still only based on an assumption as the question was vague.

> Is it possible to configure the server in such a way that it’d work like I described? That is, I guess, to require that multiple modules succeed, namely whatever does the cert verification and, say, ldap talking to the Directory?

Yes. But depending on what you want you're still going to be restricted
by the end user's setup, whether that's VPN, WiFi or anything else.

e.g. see

https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/raddb/mods-available/eap#L870-L882

There's nothing stopping you looking up some information you have
available in 20 different databases to make sure they are all OK. You
can always reject. But getting the client's supplicant to e.g. provide
both a certificate *and* username/password credentials is not possible
with most supplicants as they just don't support it.

--
Matthew
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html