Re: Username/Host authorization
Hi, Yes, this is our actual configuration and it works very well, but I think that with the long run, a database that contains all MAC address can become very difficult to manage. But if it' s the only solution, I will make with. Thanks. Nicolas CLO Industrial and Network Technician ITS Section ---Original mail-- Hi, I'm now sure that the best way for us is MAC Address filtering. thats a way of doing the 'host' part. the user can then be authenticated by an EAP method. ie authorization stage can check the calling-station-id (MAC address) and, if not known, just reject. then, if known carry on to the user authentication by 802.1X as already said, you have to know what you want and the technologies available alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html inline: ecblank.gif- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Username/Host authorization
Hi list, I'm searching the best way to configure an authorization based on both Host + Username ( mschapv2 + /usr/bin/ntlm_auth) but not Host or Username. Is it possible to verify host with mschapv2 and if the module return ok proceed to username verfication with the same module ? Thanks for your reply. __ Nicolas CLO Industrial and Network Technician ITS Section RICOH INDUSTRIE FRANCE SAS 144, route de Rouffach, 68920 WETTOLSHEIM Tel: +33 (0) 3 89 20 48 84 nicolas@ricoh-industrie.fr | www.ricoh-thermal.com inline: ecblank.gif- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Username/Host authorization
On 24/06/13 12:47, nicolas@ricoh-industrie.fr wrote: Hi list, I'm searching the best way to configure an authorization based on both Host + Username ( mschapv2 + /usr/bin/ntlm_auth) but not Host *or* Username. Is it possible to verify host with mschapv2 and if the module return ok proceed to username verfication with the same module ? No. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Username/Host authorization
nicolas@ricoh-industrie.fr wrote: Is it possible to verify host with mschapv2 That question has a number of unstated assumptions. Those assumptions are wrong. Does the *host* provide mschapv2 authentication data? No. Therefore, the host can't be verified with mschapv2. and if the module return ok proceed to username verfication with the same module ? You're asking for mschapv2 to authenticate two different identities at the same time. It doesn't do that. What do you really want to do? Your question assumes a particular view of things. That view is wrong, so we can't help you. If you describe what you have and what you want to do, we may be able to come up with a different approach that meets your needs. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Username/Host authorization
Thanks for your help. We want two authorization in the same times, for example, to ensure that user not used his iPhone with his DOMAIN/UserName account. Mac Authorization is not a good way for us ( Too restrictive to keep up to date ) Authorization by certificat too because we have a lot of hosts which doesn't support that. Nicolas CLO. -Original Message- nicolas@ricoh-industrie.fr wrote: Is it possible to verify host with mschapv2 That question has a number of unstated assumptions. Those assumptions are wrong. Does the *host* provide mschapv2 authentication data? No. Therefore, the host can't be verified with mschapv2. and if the module return ok proceed to username verfication with the same module ? You're asking for mschapv2 to authenticate two different identities at the same time. It doesn't do that. What do you really want to do? Your question assumes a particular view of things. That view is wrong, so we can't help you. If you describe what you have and what you want to do, we may be able to come up with a different approach that meets your needs. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Nicolas CLO Industrial and Network Technician ITS Section RICOH INDUSTRIE FRANCE SAS 144, route de Rouffach, 68920 WETTOLSHEIM Tel: +33 (0) 3 89 20 48 84 nicolas@ricoh-industrie.fr | www.ricoh-thermal.com inline: 0F402483.gifinline: 0F024915.jpg- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Username/Host authorization
nicolas@ricoh-industrie.fr wrote: We want two authorization in the same times, for example, to ensure that user not used his iPhone with his DOMAIN/UserName account. That is fairly vague. You're working with computers. Be specific. WHAT is in an Access-Request when they login using a desktop? WHAT is in an Access-Request when they login using their phone? HOW are the two requests different? Once you know that, it should be easy to create rules which can distinguish one from the other. And then apply different rules to each one. Mac Authorization is not a good way for us ( Too restrictive to keep up to date ) Authorization by certificat too because we have a lot of hosts which doesn't support that. You're limited by what is in the Access-Request. If the only difference between a desktop and iPhone is a MAC address, too bad. Computers aren't magic. My guess is that the only thing which will really work is MAC address filtering. I'd suggest finding a way to make it manageable. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Username/Host authorization
On 24/06/13 14:09, nicolas@ricoh-industrie.fr wrote: Thanks for your help. We want two authorization in the same times, for example, to ensure that user not used his iPhone with his DOMAIN/UserName account. Sorry, but that's not currently possible. No EAP method supports it. In theory EAP-TEAP might, but that's too new, and it's not clear if clients would support 1 auth anyway. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Username/Host authorization
Ok thanks for the reply. I'm now sure that the best way for us is MAC Address filtering. Have a good day. Nicolas CLO ---Original mail--- nicolas@ricoh-industrie.fr wrote: We want two authorization in the same times, for example, to ensure that user not used his iPhone with his DOMAIN/UserName account. That is fairly vague. You're working with computers. Be specific. WHAT is in an Access-Request when they login using a desktop? WHAT is in an Access-Request when they login using their phone? HOW are the two requests different? Once you know that, it should be easy to create rules which can distinguish one from the other. And then apply different rules to each one. Mac Authorization is not a good way for us ( Too restrictive to keep up to date ) Authorization by certificat too because we have a lot of hosts which doesn't support that. You're limited by what is in the Access-Request. If the only difference between a desktop and iPhone is a MAC address, too bad. Computers aren't magic. My guess is that the only thing which will really work is MAC address filtering. I'd suggest finding a way to make it manageable. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Username/Host authorization
Hi, I'm now sure that the best way for us is MAC Address filtering. thats a way of doing the 'host' part. the user can then be authenticated by an EAP method. ie authorization stage can check the calling-station-id (MAC address) and, if not known, just reject. then, if known carry on to the user authentication by 802.1X as already said, you have to know what you want and the technologies available alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html