Is PEAP/EAP-MSCHAPv2 with certs a reasonable way to keep untrusted computers off the lan?
john
lists.john at gmail.com
Sat May 9 21:30:54 CEST 2009
> Ah, you weren't mentioning AD. With AD you can exercise reasonable
> control. And issuing and installing certificates should't be much of a
> problem (read about domain member autoenrolement). You should go for AD
> integration:
Hi, Ivan. I mentioned AD but it was way back in the first email. To
recap my setup looks like
Active Directory <=> winbind <=> Freeradius <=> NAS <=> Supplicant
I set this up by following the link you reference. So that part is good :-)
>
> http://deployingradius.com/documents/configuration/active_directory.html
>
> and leave user/machine authentication to AD.
Right so user auth is the job of AD. Are you aware of any pointers or
howto's on getting autoenrollment working with AD and Freeradius?
> No, in your case you should use machine certificates. You have already put
> in increased workload into AD - use it. But still, dynamic VLANs would be
> much prefered to static ones. And you would save yourself the workload
> needed to secure NAS/port combinations from unwanted access with
> huntgroups/sqlhuntgroups.
Can you explain what you mean by this?
Thank you for all of your advice. I really appreciate it!
John
More information about the Freeradius-Users
mailing list