On 11/10/12 11:03, Bryce Mackintosh wrote:
Hi,
I'm currently using FreeRadius to control access to our wifi network with PEAP-TLS, and authenticating users against their AD accounts. I now need to somehow additionally restrict the users wifi access to only the machines that are joined to the Windows domain, and not phones, ipads, etc, and do this in a reasonably secure fashion.
Can you be more specific here? Do you want to authenticate *first* the computer and *then* the user via 802.1x? If so, that could be tricky - Windows doesn't support >1 auth inside the PEAP tunnel.
There are a couple of hundred laptops involved, so I'd like to avoid having to do much in the way of client-side configuration, but I suspect that client certificates may be the only answer.
How do you think they may be "the answer"? IIRC you can't use client certs with PEAP in windows.