Is PEAP/EAP-MSCHAPv2 with certs a reasonable way to keep untrusted computers off the lan?

[john]

On Fri, May 8, 2009 at 2:27 PM, Arran Cudbard-Bell
<A.Cudbard-Bell at sussex.ac.uk> wrote:
> On 8/5/09 22:02, Ivan Kalik wrote:
>>>
>>> I want machine security for machines owned by the school district.
>>> That way only school machines can be on the Lan.
>>> Student machines won't get the cert installed on their machines so
>>> they won't be able to answer the challenge from the CA, right? Am I
>>> missing your argument?
>>
>> Ah, that's how it's going to work. You probably don't need machine
>> certificates. Students will just pinch them and install them on
>> unauthorized machines. You will still have to check mac addresses
>> (Calling-Station-Id).

If that's the case what's the purpose of machine certs? Are they
really that easy to steal from
a XP/sp3 box joined to AD? Our end users are pretty constrained by GPO
(no command line etc)


>> So, drop machine authentication completetly and
>> match Calling-Station-Id on user authentication. You can tie a user to a
>> single machine or even a group of machines with huntgroups/sqlhuntgroups.
>> Doing more than that significantly inceases the workload -  for very
>> little benefit.

I am willing to do that if the consensus is that is the current best
practice. I was working under the assumption that
the way folks using freeradius typically secured their lans was via a
combination of dot1x, freeradius, and certs on the users hosts. So I
guess my question now is more fundemental. What's the proper approach
to take to secure wired clients using freeradius and dot1x? Perhaps I
should start a new topic?

John