Is PEAP/EAP-MSCHAPv2 with certs a reasonable way to keep untrusted computers off the lan?

Ivan Kalik tnt at
Fri May 8 00:41:15 CEST 2009

> I want to deny any untrusted computer access to our lan. Lately we've had
> a
> lot of students and staff bring laptops into our school and plugging them
> in
> to any convenient network port. I want only users with domain credentials
> using trusted computers on the LAN.
> My test setup looks like Active Directory <=> winbind <=> Freeradius <=>
> <=> Supplicant
> I think that using  PEAP/EAP-MSCHAPv2 with client certs may be a
> reasonable
> way to proceed but I would like to get a sanity check from folks.
> 1) Would PEAP/EAP-MSCHAPv2 with client certs accomplish my goal?

No. Because your problem has nothing to do with authentication (methods).
Your problem is with authorization.

> 2) Is there a better approach?

That depends on your hardware. If your switches support port based
authentication and dynamic VLAN assignment via radius you can make this

> 4) Eventually I'll want to extend this approach to wireless devices so
> that
> trusted computers will get LAN services while untrusted computers with
> valid
> user credentials will be handed off to a different VLAN.

Same principle applies. But authenticating devices is not very wise. It's
far better to authenticate users.

And it is far better to have equipment that places unauthenticated users
in a guest VLAN, than to break authentication and make radius accept users
that fail authentication.

Ivan Kalik
Kalik Informatika ISP

More information about the Freeradius-Users mailing list