Is PEAP/EAP-MSCHAPv2 with certs a reasonable way to keep untrusted computers off the lan?
Hello all, I want to deny any untrusted computer access to our lan. Lately we've had a lot of students and staff bring laptops into our school and plugging them in to any convenient network port. I want only users with domain credentials using trusted computers on the LAN. My test setup looks like Active Directory <=> winbind <=> Freeradius <=> NAS <=> Supplicant I think that using PEAP/EAP-MSCHAPv2 with client certs may be a reasonable way to proceed but I would like to get a sanity check from folks. 1) Would PEAP/EAP-MSCHAPv2 with client certs accomplish my goal? 2) Is there a better approach? 3) I am not clear on how to force checking of the client cert. I enabled "EAP-TLS-Require-Client-Cert = Yes" under the PEAP section of the eap.conf file but my WindowsXP client was still allowed to authenticate without specifying a root CA. Am I missing the point, if so please guide me. 4) Eventually I'll want to extend this approach to wireless devices so that trusted computers will get LAN services while untrusted computers with valid user credentials will be handed off to a different VLAN. Thanks for your help! John
I want to deny any untrusted computer access to our lan. Lately we've had a lot of students and staff bring laptops into our school and plugging them in to any convenient network port. I want only users with domain credentials using trusted computers on the LAN. My test setup looks like Active Directory <=> winbind <=> Freeradius <=> NAS <=> Supplicant
I think that using PEAP/EAP-MSCHAPv2 with client certs may be a reasonable way to proceed but I would like to get a sanity check from folks.
1) Would PEAP/EAP-MSCHAPv2 with client certs accomplish my goal?
No. Because your problem has nothing to do with authentication (methods). Your problem is with authorization.
2) Is there a better approach?
That depends on your hardware. If your switches support port based authentication and dynamic VLAN assignment via radius you can make this work.
4) Eventually I'll want to extend this approach to wireless devices so that trusted computers will get LAN services while untrusted computers with valid user credentials will be handed off to a different VLAN.
Same principle applies. But authenticating devices is not very wise. It's far better to authenticate users. And it is far better to have equipment that places unauthenticated users in a guest VLAN, than to break authentication and make radius accept users that fail authentication. Ivan Kalik Kalik Informatika ISP
1) Would PEAP/EAP-MSCHAPv2 with client certs accomplish my goal?
No. Because your problem has nothing to do with authentication (methods). Your problem is with authorization.
Thanks for your reply. I am not sure I understand your distinction, sorry for my ignorance. I want my users to have to supply both a valid domain user/password combo AND I want their computers to prove that they are allowed on the lan. My understanding of the PEAP/EAP-MSCHAPv2 + cert approach was that my users (and their computers) would need both sorts of credentials in order to use the lan.
2) Is there a better approach?
That depends on your hardware. If your switches support port based authentication and dynamic VLAN assignment via radius you can make this work.
The switches are configured to use dot1x. Is that what you mean? I am not using dynamic vlans. My intention is that users who sucessfuly authenticate will by switched according to the vlan rules in place on the port on the NAS.
4) Eventually I'll want to extend this approach to wireless devices so that trusted computers will get LAN services while untrusted computers with valid user credentials will be handed off to a different VLAN.
Same principle applies. But authenticating devices is not very wise. It's far better to authenticate users.
Does my explanation above make this moot?
And it is far better to have equipment that places unauthenticated users in a guest VLAN, than to break authentication and make radius accept users that fail authentication.
Understood. Thanks again. I'll be interested to read your reply. John
participants (2)
-
Ivan Kalik -
john