Is PEAP/EAP-MSCHAPv2 with certs a reasonable way to keep untrusted computers off the lan?

john lists.john at
Sat May 9 21:30:54 CEST 2009

> Ah, you weren't mentioning AD. With AD you can exercise reasonable
> control. And issuing and installing certificates should't be much of a
> problem (read about domain member autoenrolement). You should go for AD
> integration:

Hi, Ivan. I mentioned AD but it was way back in the first email. To
recap my setup looks like
Active Directory <=> winbind <=> Freeradius <=> NAS <=> Supplicant

I set this up by following the link you reference. So that part is good :-)

> and leave user/machine authentication to AD.

Right so user auth is the job of AD. Are you aware of any pointers or
howto's on getting autoenrollment working with AD and Freeradius?

> No, in your case you should use machine certificates. You have already put
> in increased workload into AD - use it. But still, dynamic VLANs would be
> much prefered to static ones. And you would save yourself the workload
> needed to secure NAS/port combinations from unwanted access with
> huntgroups/sqlhuntgroups.

Can you explain what you mean by this?

Thank you for all of your advice. I really appreciate it!


More information about the Freeradius-Users mailing list