On 11 October 2012 14:48, Phil Mayers <p.mayers@imperial.ac.uk> wrote:
On 11/10/12 12:55, Bryce Mackintosh wrote:


Okay, ignoring how I currently have things setup, how would other people
go about controlling the users and devices on a wifi network by means of
802.1x, freeradius using AD for authentication and Win XP Pro SP3

We don't bother. It's not obvious why "controlling the devices" is useful.

IT policy here requires that there's no unapproved/unsupported devices on our network. With the current test PEAP-TLS configuration anyone could use their AD account to connect any device to the wifi network, rather than just the laptops they've been issued. 


clients. I'd have thought that this was a fairly common requirement in
the enterprise world, so I'm surprised there's not an obvious solution,
or am I missing something? At the moment it looks like we'll have to
abandon 802.1x and go back to WPA2-PSK.

Eh? How does *that* help? 

It's what we have currently in production, and only IT know the key, so we can at the moment control what gets on our wifi network - at least at my site
 
If you really want to do this, then:

 1. Use machine auth for 802.1x
 2. Use policies *on* the machines to control the users

Management currently (they didn't initially) consider machine auth more important than user auth for access to the new wifi network. As I can only have one or the other via 802.1x, I'll focus on getting the machine auth working and go from there.

--
Bryce