Is PEAP/EAP-MSCHAPv2 with certs a reasonable way to keep untrusted computers off the lan?
lists.john at gmail.com
Fri May 8 20:12:26 CEST 2009
> But what you can do is largely dependant
> on what NAS supports
Thanks for the explanation.
>> I want
>> my users to
>> have to supply both a valid domain user/password combo AND I want their
>> computers to prove that they are allowed on the lan. My understanding of
>> PEAP/EAP-MSCHAPv2 + cert approach was that my users (and their computers)
>> would need both sorts of credentials in order to use the lan.
> Yes, but that would be machine, not client (user) certificate. So machine
> will be checked with certificate and user with username/pass. In two
> separate authentication sessions (when machine is switched on/ user logs
> off - machine authentication; when user logs in - user authentication).
Ok. So is a machine cert different than a client cert? Can I have a
single machine cert for all machines, or do I need to generate one for
every machine. If so does that simply mean I edit the client.cnf with
the FQDN of the machine in question. With several hundred machines on
the domain this sound painful.
Would I then set my XP clients who are connecting by wire to use EAP
type "Smart Card or Other Certificate"? or would they continue to use
PEAP MSCHAPV2? And would I continue to try and force the freeradius
server to do certificate checking via eap.conf?
I haven't found a good howto on this. It seems that most folks are
concerned about using freeradius with WPA supplicants. The process
seems a bit different for computers who's must be valid as well.
>>> > 2) Is there a better approach?
>>> That depends on your hardware. If your switches support port based
>>> authentication and dynamic VLAN assignment via radius you can make this
We're looking at using used HP 2650's but I'd be interested in knowing
your recommendation for high density switches for Lan environments
with robust dot1x support.
> And how are you going to stop students from plugging into the ports they
> feel like?
> You can paint them in different colours, do what you like -
> students will still plug into the "wrong" ones.
The NAS are located in server closets so the students would be
plugging into ports in classrooms. Since they wouldn't have a machine
cert they'd get no joy, right?
Or better - how is admin
> going to get onto the admin VLAN from a port "allocated" to students? Use
> dynamic VLAN assignment.
I like the idea but currently don't have equipment that supports this
AFAIK. Again, what would you recommend in terms of hardware? As
always, cost is an issue :->
I appreciate your help!
More information about the Freeradius-Users