There are lots of ways to authenticate the user (freeipa, motp, ldap, etc) but no ways to authenticate the machine!
Use GSSAPI to check if a client computer is part of an AD domain. If the client computer is not enrolled, no VPN. This doesn't require Windows, It does require that the server (Linux or otherwise) is part of the AD domain and is able to request service tickets from the AD KDC.
Only after the client is confirmed as being part of the AD domain can it then proceed to user authentication (potentially using RADIUS or some other MFA.)
Summary: support using Windows machine account as a pre-authentication step for the client that is a gating factor for user authentication being initiated.
Use GSSAPI to check if a client computer is part of an AD domain. If the client computer is not enrolled, no VPN. This doesn't require Windows, It does require that the server (Linux or otherwise) is part of the AD domain and is able to request service tickets from the AD KDC.
Only after the client is confirmed as being part of the AD domain can it then proceed to user authentication (potentially using RADIUS or some other MFA.)
Summary: support using Windows machine account as a pre-authentication step for the client that is a gating factor for user authentication being initiated.
Statistics: Posted by downdeep — Sun Dec 15, 2024 3:47 am