HELP! EAP-TLS: how can I install a cert on a workstation so that it works for all users

john lists.john at gmail.com
Wed Jul 15 21:49:19 CEST 2009


>
>> (3) I cannot create a generic "computer cert" that authenticates the
>> computer and opens the port?
>
> Yes, you can. But as soon as some user logs onto that computer ...
>
> Ivan Kalik
> Kalik Informatika ISP

Thanks for the reply Ivan. I am fine with folks logging in and having
access from computer that have already been authenticate via a
computer certificate. If my users make it that far they have domain
credentials and are supposed to be there. What I am trying to prevent
is users from bringing their laptops from home and plugging them into
a spare port (or removing the cable from the back of a school
computer) in one of our computer labs.

I am pretty sure I can put a cert into the computer that will
authenticate the computer *before* a user even logs in. Once they
provide their domain credentials they should have access to all the
services we provide int the lab.

I am having a hard time figuring out how to make this work. Where/how
does the cert get imported. Do I need to make a registry change in
KEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Parameters\General\Global
to make this work? I hope this is the part someone on the list will
have done before and be able to guide me or point me at a howto.

Thanks!

John



More information about the Freeradius-Users mailing list