1) Would PEAP/EAP-MSCHAPv2 with client certs accomplish my goal?
No. Because your problem has nothing to do with authentication (methods). Your problem is with authorization.
Thanks for your reply. I am not sure I understand your distinction, sorry for my ignorance. I want my users to have to supply both a valid domain user/password combo AND I want their computers to prove that they are allowed on the lan. My understanding of the PEAP/EAP-MSCHAPv2 + cert approach was that my users (and their computers) would need both sorts of credentials in order to use the lan.
2) Is there a better approach?
That depends on your hardware. If your switches support port based authentication and dynamic VLAN assignment via radius you can make this work.
The switches are configured to use dot1x. Is that what you mean? I am not using dynamic vlans. My intention is that users who sucessfuly authenticate will by switched according to the vlan rules in place on the port on the NAS.
4) Eventually I'll want to extend this approach to wireless devices so that trusted computers will get LAN services while untrusted computers with valid user credentials will be handed off to a different VLAN.
Same principle applies. But authenticating devices is not very wise. It's far better to authenticate users.
Does my explanation above make this moot?
And it is far better to have equipment that places unauthenticated users in a guest VLAN, than to break authentication and make radius accept users that fail authentication.
Understood. Thanks again. I'll be interested to read your reply. John