Is PEAP/EAP-MSCHAPv2 with certs a reasonable way to keep untrusted computers off the lan?
john
lists.john at gmail.com
Fri May 8 01:00:14 CEST 2009
>
> >
> > 1) Would PEAP/EAP-MSCHAPv2 with client certs accomplish my goal?
>
> No. Because your problem has nothing to do with authentication (methods).
> Your problem is with authorization.
Thanks for your reply.
I am not sure I understand your distinction, sorry for my ignorance. I want
my users to
have to supply both a valid domain user/password combo AND I want their
computers to prove that they are allowed on the lan. My understanding of the
PEAP/EAP-MSCHAPv2 + cert approach was that my users (and their computers)
would need both sorts of credentials in order to use the lan.
>
>
> > 2) Is there a better approach?
>
> That depends on your hardware. If your switches support port based
> authentication and dynamic VLAN assignment via radius you can make this
> work.
The switches are configured to use dot1x. Is that what you mean? I am not
using dynamic vlans. My intention is that users who sucessfuly authenticate
will by switched according to the vlan rules in place on the port on the
NAS.
>
>
> > 4) Eventually I'll want to extend this approach to wireless devices so
> > that
> > trusted computers will get LAN services while untrusted computers with
> > valid
> > user credentials will be handed off to a different VLAN.
>
> Same principle applies. But authenticating devices is not very wise. It's
> far better to authenticate users.
Does my explanation above make this moot?
>
>
> And it is far better to have equipment that places unauthenticated users
> in a guest VLAN, than to break authentication and make radius accept users
> that fail authentication.
Understood.
Thanks again. I'll be interested to read your reply.
John
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20090507/24995a5b/attachment.html>
More information about the Freeradius-Users
mailing list