Is PEAP/EAP-MSCHAPv2 with certs a reasonable way to keep untrusted computers off the lan?

[john]

Hello all,

I want to deny any untrusted computer access to our lan. Lately we've had a
lot of students and staff bring laptops into our school and plugging them in
to any convenient network port. I want only users with domain credentials
using trusted computers on the LAN.
My test setup looks like Active Directory <=> winbind <=> Freeradius <=> NAS
<=> Supplicant

I think that using  PEAP/EAP-MSCHAPv2 with client certs may be a reasonable
way to proceed but I would like to get a sanity check from folks.

1) Would PEAP/EAP-MSCHAPv2 with client certs accomplish my goal?
2) Is there a better approach?
3) I am not clear on how to force checking of the client cert. I enabled
"EAP-TLS-Require-Client-Cert = Yes" under the PEAP section of the eap.conf
file but
 my WindowsXP client was still allowed to authenticate without specifying a
root CA. Am I missing the point, if so please guide me.
4) Eventually I'll want to extend this approach to wireless devices so that
trusted computers will get LAN services while untrusted computers with valid
user credentials will be handed off to a different VLAN.

Thanks for your help!

John
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20090507/644b60b0/attachment.html>