Is PEAP/EAP-MSCHAPv2 with certs a reasonable way to keep untrusted computers off the lan?

Ivan Kalik tnt at
Fri May 8 23:02:20 CEST 2009

> I want machine security for machines owned by the school district.
> That way only school machines can be on the Lan.
> Student machines won't get the cert installed on their machines so
> they won't be able to answer the challenge from the CA, right? Am I
> missing your argument?

Ah, that's how it's going to work. You probably don't need machine
certificates. Students will just pinch them and install them on
unauthorized machines. You will still have to check mac addresses
(Calling-Station-Id). So, drop machine authentication completetly and
match Calling-Station-Id on user authentication. You can tie a user to a
single machine or even a group of machines with huntgroups/sqlhuntgroups.
Doing more than that significantly inceases the workload -  for very
little benefit.

> Is there some difference between a "machine cert" and a "client cert"

No. It's just whose details are on the certificate.

> ? If so is there some direction about how to manufacture and install
> them?

Same as the ones for users.

> I believe you. Assuming I collection of those switches wouldn't I also
> need a management server to manage dynamic vlan assignment?

Sort of. Freeradius would be that "management" server. VLAN IDs will be in
user/group entries.

Ivan Kalik
Kalik Informatika ISP

More information about the Freeradius-Users mailing list