Is PEAP/EAP-MSCHAPv2 with certs a reasonable way to keep untrusted computers off the lan?

Ivan Kalik tnt at kalik.net
Fri May 8 22:19:37 CEST 2009


> I haven't found a good howto on this. It seems that most folks are
> concerned about using freeradius with WPA supplicants. The process
> seems a bit different for computers who's must be valid as well.
>

And why do you insist on checking machine identity? Security? Lets say one
of your students was trawling porn and warez sites all night while
downloading some dodgy cracked game via torrents -  he has a certificate
on his laptop. The other student just bought a new laptop - he has no
machine certificate. Guess which one will be able to hook up to your
network. Do you really want to let the first one and stop the second?

>>
>>>> > 2) Is there a better approach?
>>>>
>>>> That depends on your hardware. If your switches support port based
>>>> authentication and dynamic VLAN assignment via radius you can make
>>>> this
>>>> work.
>
> We're looking at using used HP 2650's but I'd be interested in knowing
> your recommendation for high density switches for Lan environments
> with robust dot1x support.
>

Arran is better person to ask. Read his article on HP switches:

http://wiki.freeradius.org/HP

>
>> And how are you going to stop students from plugging into the ports they
>> feel like?
>  > You can paint them in different colours, do what you like -
>> students will still plug into the "wrong" ones.
>
> The NAS are located in server closets so the students would be
> plugging into ports in classrooms.

And teachers? Dedicated teacher ports? Who is going to guard them when
teacher leaves the classroom. You really don't want students anywhere near
teacher resources.

>  Or better - how is admin
>> going to get onto the admin VLAN from a port "allocated" to students?
>> Use
>> dynamic VLAN assignment.
> I like the idea but currently don't have equipment that supports this
> AFAIK. Again, what would you recommend in terms of hardware? As
> always, cost is an issue :->

That expense will save you a lot of headaches later.

Ivan Kalik
Kalik Informatika ISP




More information about the Freeradius-Users mailing list