Dan Letkeman wrote:
From what I understand I need to create myself a certificate and install that certificate into the freeradius server and into each of my client computers.
Yes.
Then I need to configure my switches to connect use the freeradius server to allow the traffic through when the client computer wants to authenticate to the network.
No... you need to configure the switches to use 802.1X authentication. They will then automatically allow traffic for authenticated devices.
My questions are as follows:
Which EAP type should I use if I only want the computers to authenticate using certificates? EAP-TLS?
That will work.
I am guessing I should be using WPA2/Enterprise on the clients for the 802.1x authentication on the Windows 7 clients? And set it to use computer authentication only?
That will work.
Do I need a signed third party certificate or can I use a self signed one?
You can use a self-signed certificate. See the Wiki for an EAP-TLS "howto".
Could a user not just export the certificate from the computer and import it into there own computer, configure there network settings and get on the network? Or is there a mechanism to keep people from doing this? Perhaps a password encrypted in the certificate?
There is nothing to prevent the user from exporting the certificate.
Is there anything else I am missing?
No. Alan DeKok.