Design question
Alan DeKok
aland at deployingradius.com
Thu Feb 2 08:16:57 CET 2012
Dan Letkeman wrote:
> From what I understand I need to create myself a certificate and
> install that certificate into the freeradius server and into each of
> my client computers.
Yes.
> Then I need to configure my switches to connect
> use the freeradius server to allow the traffic through when the client
> computer wants to authenticate to the network.
No... you need to configure the switches to use 802.1X authentication.
They will then automatically allow traffic for authenticated devices.
> My questions are as follows:
>
> Which EAP type should I use if I only want the computers to
> authenticate using certificates? EAP-TLS?
That will work.
> I am guessing I should be using WPA2/Enterprise on the clients for the
> 802.1x authentication on the Windows 7 clients? And set it to use
> computer authentication only?
That will work.
> Do I need a signed third party certificate or can I use a self signed one?
You can use a self-signed certificate. See the Wiki for an EAP-TLS
"howto".
> Could a user not just export the certificate from the computer and
> import it into there own computer, configure there network settings
> and get on the network? Or is there a mechanism to keep people from
> doing this? Perhaps a password encrypted in the certificate?
There is nothing to prevent the user from exporting the certificate.
> Is there anything else I am missing?
No.
Alan DeKok.
More information about the Freeradius-Users
mailing list