Is PEAP/EAP-MSCHAPv2 with certs a reasonable way to keep untrusted computers off the lan?

Ivan Kalik tnt at
Sat May 9 02:54:32 CEST 2009

> If that's the case what's the purpose of machine certs? Are they
> really that easy to steal from
> a XP/sp3 box joined to AD? Our end users are pretty constrained by GPO
> (no command line etc)

Ah, you weren't mentioning AD. With AD you can exercise reasonable
control. And issuing and installing certificates should't be much of a
problem (read about domain member autoenrolement). You should go for AD

and leave user/machine authentication to AD.

The problems are with non-domain machines. In their wisdom MS have removed
Power User option for new accounts for XP (used to be there in Win2K). So,
faced with admin or limited options most people end up opening local admin
accounts. With them all local files are fair game. Sad truth is that Power
User group still exists on Win XP Pro - but most MS trained admins are not
aware of it.

>>> So, drop machine authentication completetly and
>>> match Calling-Station-Id on user authentication. You can tie a user to
>>> a
>>> single machine or even a group of machines with
>>> huntgroups/sqlhuntgroups.
>>> Doing more than that significantly inceases the workload -  for very
>>> little benefit.
> I am willing to do that if the consensus is that is the current best
> practice.

No, in your case you should use machine certificates. You have already put
in increased workload into AD - use it. But still, dynamic VLANs would be
much prefered to static ones. And you would save yourself the workload
needed to secure NAS/port combinations from unwanted access with

Ivan Kalik
Kalik Informatika ISP

More information about the Freeradius-Users mailing list