Two ways, one is preferred:
- Use TEAP and chained EAP requests to authenticate the device and user at the same time.
- Configure the supplicant for Computer and User auth which will require the computer to go through a device level authentication first and then mark that endpoint as domain joined, use that endpoint attribute as a further check during user auth.
Note, both options are only applicable to Windows.
------------------------------
Carson Hulcher, ACEX#110
------------------------------
Original Message:
Sent: Jul 31, 2024 02:59 AM
From: Ronin101
Subject: Machine Authentication - How
Dear Experts,
One of the customer is using EAP-PEAP (MSCHAPv2) to do user credentials authentication. They want to do computer authentication to make sure that only domain joined machines are getting the correct roles. However what i dont understand is, in user's case we can match different criteria like OU, SG etc, but in computers case how its done? Do we only change if machine authentication is successful?
if yes, can someone tell me or share the sample policy how to match the correct domain for machine authentication?