(3) I cannot create a generic "computer cert" that authenticates the computer and opens the port?
Yes, you can. But as soon as some user logs onto that computer ...
Ivan Kalik Kalik Informatika ISP
Thanks for the reply Ivan. I am fine with folks logging in and having access from computer that have already been authenticate via a computer certificate. If my users make it that far they have domain credentials and are supposed to be there. What I am trying to prevent is users from bringing their laptops from home and plugging them into a spare port (or removing the cable from the back of a school computer) in one of our computer labs. I am pretty sure I can put a cert into the computer that will authenticate the computer *before* a user even logs in. Once they provide their domain credentials they should have access to all the services we provide int the lab. I am having a hard time figuring out how to make this work. Where/how does the cert get imported. Do I need to make a registry change in KEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Parameters\General\Global to make this work? I hope this is the part someone on the list will have done before and be able to guide me or point me at a howto. Thanks! John