<br><div class="gmail_quote">On 11 October 2012 11:45, Phil Mayers <span dir="ltr"><<a href="mailto:p.mayers@imperial.ac.uk" target="_blank">p.mayers@imperial.ac.uk</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="im">On 11/10/12 11:03, Bryce Mackintosh wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hi,<br>
<br>
I'm currently using FreeRadius to control access to our wifi network<br>
with PEAP-TLS, and authenticating users against their AD accounts. I now<br>
need to somehow additionally restrict the users wifi access to only the<br>
machines that are joined to the Windows domain, and not phones, ipads,<br>
etc, and do this in a reasonably secure fashion.<br>
</blockquote>
<br></div>
Can you be more specific here?<br>
<br>
Do you want to authenticate *first* the computer and *then* the user via 802.1x? If so, that could be tricky - Windows doesn't support >1 auth inside the PEAP tunnel.<div class="im"><br></div></blockquote><div> </div>
<div>In the ideal world it would be nice to authenticate both the machine and the user, but it does seem you can only do one or the other. We've considered filtering by MAC address, but that would be an admin headache, plus they can be easily spoofed. Could also filter by hostname, but then again that's easy to spoof. </div>
<div><br></div><div>Okay, ignoring how I currently have things setup, how would other people go about controlling the users and devices on a wifi network by means of 802.1x, freeradius using AD for authentication and Win XP Pro SP3 clients. I'd have thought that this was a fairly common requirement in the enterprise world, so I'm surprised there's not an obvious solution, or am I missing something? At the moment it looks like we'll have to abandon 802.1x and go back to WPA2-PSK.</div>
<div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im">
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
There are a couple of hundred laptops involved, so I'd like to avoid<br>
having to do much in the way of client-side configuration, but I suspect<br>
that client certificates may be the only answer.<br>
</blockquote>
<br></div>
How do you think they may be "the answer"? IIRC you can't use client certs with PEAP in windows.<br></blockquote><div> </div><div>Doh! I'd forgotten that!</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
-<br>
List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/<u></u>list/users.html</a><br>
</blockquote></div><br>