Is PEAP/EAP-MSCHAPv2 with certs a reasonable way to keep untrusted computers off the lan?

john lists.john at
Fri May 8 01:00:14 CEST 2009

> >
> > 1) Would PEAP/EAP-MSCHAPv2 with client certs accomplish my goal?
> No. Because your problem has nothing to do with authentication (methods).
> Your problem is with authorization.

Thanks for your reply.

 I am not sure I understand your distinction, sorry for my ignorance. I want
my users to
have to supply both a valid domain user/password combo AND I want their
computers to prove that they are allowed on the lan. My understanding of the
PEAP/EAP-MSCHAPv2 + cert approach was that my users (and their computers)
would need both sorts of credentials in order to use the lan.

> > 2) Is there a better approach?
> That depends on your hardware. If your switches support port based
> authentication and dynamic VLAN assignment via radius you can make this
> work.

The switches are configured to use dot1x. Is that what you mean? I am not
using dynamic vlans. My intention is that users who sucessfuly authenticate
will by switched according to the vlan rules in place on the port on the

> > 4) Eventually I'll want to extend this approach to wireless devices so
> > that
> > trusted computers will get LAN services while untrusted computers with
> > valid
> > user credentials will be handed off to a different VLAN.
> Same principle applies. But authenticating devices is not very wise. It's
> far better to authenticate users.

Does my explanation above make this moot?

> And it is far better to have equipment that places unauthenticated users
> in a guest VLAN, than to break authentication and make radius accept users
> that fail authentication.


Thanks again. I'll be interested to read your reply.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Freeradius-Users mailing list