On Fri, May 8, 2009 at 2:27 PM, Arran Cudbard-Bell <A.Cudbard-Bell@sussex.ac.uk> wrote:
On 8/5/09 22:02, Ivan Kalik wrote:
I want machine security for machines owned by the school district. That way only school machines can be on the Lan. Student machines won't get the cert installed on their machines so they won't be able to answer the challenge from the CA, right? Am I missing your argument?
Ah, that's how it's going to work. You probably don't need machine certificates. Students will just pinch them and install them on unauthorized machines. You will still have to check mac addresses (Calling-Station-Id).
If that's the case what's the purpose of machine certs? Are they really that easy to steal from a XP/sp3 box joined to AD? Our end users are pretty constrained by GPO (no command line etc)
So, drop machine authentication completetly and match Calling-Station-Id on user authentication. You can tie a user to a single machine or even a group of machines with huntgroups/sqlhuntgroups. Doing more than that significantly inceases the workload - for very little benefit.
I am willing to do that if the consensus is that is the current best practice. I was working under the assumption that the way folks using freeradius typically secured their lans was via a combination of dot1x, freeradius, and certs on the users hosts. So I guess my question now is more fundemental. What's the proper approach to take to secure wired clients using freeradius and dot1x? Perhaps I should start a new topic? John