Hi John thanks for taking the time to reply,
Ask the question "Who are you authenticating?" or "What has permission to use the network?" Am I trying to restrict access to a specific set of users or am I trying to restrict access to a specific set of machines? If it's the later does that mean anyone who sits down at that machine has access?
In this instance I am trying to the network so that only computers which carry a credential are allowed to have port access. My users credentials are managed via Active Directory and I am trying to avoid issuing user certs if possible. More specifically we have a number of computer labs where users are in the habit of bringing in computers from home and plugging in, I'd like to prevent this. So what I am hoping to find out is that I can create a cert with the FQDN of the computer. Install it on the computer itself, and have the computer negotiate via the NAS with free-radius for access. I hope this process is completely transparent to the user.
In a very very simplified view a certificate is nothing more than a password. Would you give the same password to every user? Would you put that password on every machine?
Sort of. I guess I see it as a sort of 2 factor auth scheme. The computer has a credential which is processed by free-radius and the user has a separate credential which is processed by Active Directory.
2) The per user certificate is stored in a central location where only the user can access it. Usually this requires OS support and another layer of authentication.
I am pretty sure that Windows XP can use a Computer Cert for dot1X auth via EAP. I've seen references to it. I've even found a mention of a registry hack that forces the computer to use machine auth for dot1X in lieu of user certs, but I am not sure how to correctly implement it when using free-radius, everythings written for IAS.
If you want to do machine authentication then per machine certificates must be generated and distributed (which is where your question began). There is no easy secure way to do this for a large number of devices in the absence of sophisticated certificate management software, this is why certificate management software is a growth industry.
I am willing to do it by hand if the process seems reasonably straight-forward. I've got about 200 machines and 1600 users, many users user multiple machines. You can see why I'd rather tackle the machines. :->
I'm not a Windows guy, but my understanding is that Microsoft offers (expensive) solutions. In the Linux world you might consider DogTag (http://pki.fedoraproject.org/wiki/PKI_Main_Page), this is the same certificate management system used by the DoD (Dept of Defense) and other high profile organizations which Red Hat has generously made available as open source after it's acquisition from Netscape.
Thanks for this resource.
Note that DogTag supports Auto-Enrollment Proxy (AEP) for Windows, which allows users and computers in a Microsoft Windows domain to automatically enroll for certificates issued from Certificate System.
Of course if you don't want to deal with the complexity of certificate based authentication you could just use passwords. Passwords are much less secure, but much simpler.
Yes but then we're back to the problem of a user just providing domain credentials to gain port access. I can imagine a student downloading secure-w2 or similar and providing domain credentials to get access for their laptop. Thanks again John. I appreciate your insights. John