Design question

[Dan Letkeman]

Thank you for the quick reply.

Would you recommend doing anything differently?  Perhaps a different EAP type?

If I wanted redundancy should I just setup a secondary radius server
with the same settings and add it to the list of servers that are
available?


Thanks,
Dan.

On Thu, Feb 2, 2012 at 1:16 AM, Alan DeKok <aland at deployingradius.com> wrote:
> Dan Letkeman wrote:
>> From what I understand I need to create myself a certificate and
>> install that certificate into the freeradius server and into each of
>> my client computers.
>
>  Yes.
>
>>  Then I need to configure my switches to connect
>> use the freeradius server to allow the traffic through when the client
>> computer wants to authenticate to the network.
>
>  No... you need to configure the switches to use 802.1X authentication.
>  They will then automatically allow traffic for authenticated devices.
>
>> My questions are as follows:
>>
>> Which EAP type should I use if I only want the computers to
>> authenticate using certificates?  EAP-TLS?
>
>  That will work.
>
>> I am guessing I should be using WPA2/Enterprise on the clients for the
>> 802.1x authentication on the Windows 7 clients?  And set it to use
>> computer authentication only?
>
>  That will work.
>
>> Do I need a signed third party certificate or can I use a self signed one?
>
>  You can use a self-signed certificate.  See the Wiki for an EAP-TLS
> "howto".
>
>> Could a user not just export the certificate from the computer and
>> import it into there own computer, configure there network settings
>> and get on the network?  Or is there a mechanism to keep people from
>> doing this?  Perhaps a password encrypted in the certificate?
>
>  There is nothing to prevent the user from exporting the certificate.
>
>> Is there anything else I am missing?
>
>  No.
>
>  Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html