.
That depends on capabilities of your equipment. This how Cisco implements it:
www.cisco.com/univercd/cc/td/doc/solution/macauthb.pdf
Other vendors have more on less the same. It is enabled on some models and not on others.
Thanks for this.
So this policy would check the huntgroup that the NAS was a member of and then go on to check if the users was part of the proper Ldap-Group and assuming that both were true then access would be granted. I am still not clear how some hunt groups will always require a host cert and others never will. Is this set in the hunt group?
No, on the equipment. Your setup is such that you have to enforce (enable/disable) it on hardware. If you would require certificates for access to all hardware you could enforce it with AD Group Policy. Like this students don't need machine certificates for wireless access. So, you should enable mac auth bypass on your student APs. Most APs should have such feature.You should make students register mac address of their wireless equipment if they want to connect.
Hmm. I don't think I like this approach for a couple of reasons, perhaps you can let me know if I am thinking about this incorrectly. We already use mac address as an auth scheme and I want to move away from this because of the ease of mac spoofing in a wireless environment. That's why I hoped to move to username/password authentication with WPA2 that was centrally managed via freeradius <=> Active Directory. I currently have a fairly central way to manage access by mac, but I would have to give that up if I had to maintain a mac address table on each NAS. I guess I could add a list of allowed mac addresses in the freeradius/users file and maintain it from there? Just so I understand you clearly, we can't have 1 class of users who must use host certs via NAS A and another class of uses who never have to use certs via NAS B on the same freeradius server? If that is the case I think I might want to set up a second instance of Freeradius and point the NAS that don't require host certs at that one. I could simply mint another virtual freeradius instance in freeradius/sites-enabled couldn't I? If I have this all muddled up, I hope you'll straighten me out. Thanks for all of your help. John