Is PEAP/EAP-MSCHAPv2 with certs a reasonable way to keep untrusted computers off the lan?

Arran Cudbard-Bell A.Cudbard-Bell at sussex.ac.uk
Fri May 8 23:27:26 CEST 2009


On 8/5/09 22:02, Ivan Kalik wrote:
>> I want machine security for machines owned by the school district.
>> That way only school machines can be on the Lan.
>> Student machines won't get the cert installed on their machines so
>> they won't be able to answer the challenge from the CA, right? Am I
>> missing your argument?
>
> Ah, that's how it's going to work. You probably don't need machine
> certificates. Students will just pinch them and install them on
> unauthorized machines. You will still have to check mac addresses
> (Calling-Station-Id).

Which students will pinch, and use to administratively override the MAC 
addresses of their laptop NICs? ;) Hell you can do it in ifconfig if 
your driver supports it (hw class address ether).

Surely file permissions on Windows Machines can't be *that* broken.

> So, drop machine authentication completetly and
> match Calling-Station-Id on user authentication. You can tie a user to a
> single machine or even a group of machines with huntgroups/sqlhuntgroups.
> Doing more than that significantly inceases the workload -  for very
> little benefit.
>
>> Is there some difference between a "machine cert" and a "client cert"
>
> No. It's just whose details are on the certificate.
>
>> ? If so is there some direction about how to manufacture and install
>> them?
>>
>
> Same as the ones for users.
>
>> I believe you. Assuming I collection of those switches wouldn't I also
>> need a management server to manage dynamic vlan assignment?
>
> Sort of. Freeradius would be that "management" server. VLAN IDs will be in
> user/group entries.
>
> Ivan Kalik
> Kalik Informatika ISP
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-- 
Arran Cudbard-Bell (A.Cudbard-Bell at sussex.ac.uk),
Authentication, Authorisation and Accounting Officer,
Infrastructure Services (IT Services),
E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT
DDI+FAX: +44 1273 873900 | INT: 3900
GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2



More information about the Freeradius-Users mailing list