Is PEAP/EAP-MSCHAPv2 with certs a reasonable way to keep untrusted computers off the lan?

john lists.john at gmail.com
Fri May 8 20:12:26 CEST 2009 

> But what you can do is largely dependant
> on what NAS supports

Thanks for the explanation.

>
>> I want
>> my users to
>> have to supply both a valid domain user/password combo AND I want their
>> computers to prove that they are allowed on the lan. My understanding of
>> the
>> PEAP/EAP-MSCHAPv2 + cert approach was that my users (and their computers)
>> would need both sorts of credentials in order to use the lan.
>
> Yes, but that would be machine, not client (user) certificate. So machine
> will be checked with certificate and user with username/pass. In two
> separate authentication sessions (when machine is switched on/ user logs
> off - machine authentication; when user logs in - user authentication).

Ok. So is a machine cert different than a client cert? Can I have a
single machine cert for all machines, or do I need to generate one for
every machine. If so does that simply mean I edit the client.cnf with
the FQDN of the machine in question. With several hundred machines on
the domain this sound painful.

Would I then set my XP clients who are connecting by wire to use EAP
type "Smart Card or Other Certificate"? or would they continue to use
PEAP MSCHAPV2? And would I continue to try and force the freeradius
server to do certificate checking via eap.conf?

I haven't found a good howto on this. It seems that most folks are
concerned about using freeradius with WPA supplicants. The process
seems a bit different for computers who's must be valid as well.

>
>>> > 2) Is there a better approach?
>>>
>>> That depends on your hardware. If your switches support port based
>>> authentication and dynamic VLAN assignment via radius you can make this
>>> work.

We're looking at using used HP 2650's but I'd be interested in knowing
your recommendation for high density switches for Lan environments
with robust dot1x support.


> And how are you going to stop students from plugging into the ports they
> feel like?
 > You can paint them in different colours, do what you like -
> students will still plug into the "wrong" ones.

The NAS are located in server closets so the students would be
plugging into ports in classrooms. Since they wouldn't have a machine
cert they'd get no joy, right?

 Or better - how is admin
> going to get onto the admin VLAN from a port "allocated" to students? Use
> dynamic VLAN assignment.
I like the idea but currently don't have equipment that supports this
AFAIK. Again, what would you recommend in terms of hardware? As
always, cost is an issue :->

I appreciate your help!

john

More information about the Freeradius-Users mailing list