The EAP Saga continues.

[Alan DeKok]

Evan Vittitow wrote:
> Alright, I'm going to step back and talk conceptually. The issue is that
> the laptops use a combination of LDAP and Kerberos to authenticate to
> the Domain Controllers.

  If that's what you've designed your system to do, then it's seems to
be a problem you created for yourself.

> (OpenLDAP and a Kerberos KDC.) to authorize and
> authenticate Humans. So you get a Chicken/Egg issue. You can't
> authenticate Humans until you authenticate nodes, but a Human could not
> enter MS-CHAPv2 passwords wothout logging in.

  Then don't design the system in a way that makes it impossible to do
what you want.

> I want to be able to assign a Certificate to a Host, as long as the Host
> carries the certificate, it can talk on the network. The Cert should be
> individualized to each host. So, I'd like to be able give a host a cert,
> and then let them use the network so they can login with User/Password.
> I have a working CA now.

  Then the laptops have to use PEAP, and your switches have to require
802.1x.

  Alan DeKok.
--
  http://deployingradius.com       - The web site of the book
  http://deployingradius.com/blog/ - The blog