Is PEAP/EAP-MSCHAPv2 with certs a reasonable way to keep untrusted computers off the lan?

[john]

On Fri, May 8, 2009 at 1:19 PM, Ivan Kalik <tnt at kalik.net> wrote:
>> I haven't found a good howto on this. It seems that most folks are
>> concerned about using freeradius with WPA supplicants. The process
>> seems a bit different for computers who's must be valid as well.
>>
>
> And why do you insist on checking machine identity? Security? Lets say one
> of your students was trawling porn and warez sites all night while
> downloading some dodgy cracked game via torrents -  he has a certificate
> on his laptop. The other student just bought a new laptop - he has no
> machine certificate. Guess which one will be able to hook up to your
> network. Do you really want to let the first one and stop the second?

Hi Ivan,

I want machine security for machines owned by the school district.
That way only school machines can be on the Lan.
Student machines won't get the cert installed on their machines so
they won't be able to answer the challenge from the CA, right? Am I
missing your argument?

Is there some difference between a "machine cert" and a "client cert"
? If so is there some direction about how to manufacture and install
them?

>

> Arran is better person to ask. Read his article on HP switches:
>
> http://wiki.freeradius.org/HP

Thank you.

>>

> And teachers? Dedicated teacher ports? Who is going to guard them when
> teacher leaves the classroom. You really don't want students anywhere near
> teacher resources.

Sure, but again. Students can't just plug into those ports since they
won't have the cert that allows them access to the Lan, right?


>

>
> That expense will save you a lot of headaches later.
>

I believe you. Assuming I collection of those switches wouldn't I also
need a management server to manage dynamic vlan assignment?

Cheers!

John