fgaudreault at inverse.ca
Fri Jan 6 21:06:41 CET 2012
If you PCs are all Windows, and they are all member of an AD domain (or
subdomains), use PEAP with machine auth (or machine+user auth). It is
much less painful than deploy 600 client certificates.
PEAP also works with Mac OSZ and Linux box using user authentication.
On 12-01-06 1:44 PM, David Mitton wrote:
> You can do such things as suggested... but you haven't articulated
> what your goal is and what you will be using the certificates for?
> 802.1X doesn't "require" certificates... but you may want to use them
> depending on what you are trying to do.
> Quoting "Danner, Mearl" <jmdanner at samford.edu>:
>> If you are using AD and have a CA set up you can create
>> autoenrollment gpo's for domain attached machines. You can issue
>> either user or computer certs. Can also configure the Windows
>> wireless supplicant via gpo.
>> freeradius-users-bounces+jmdanner=samford.edu at lists.freeradius.org
>> [mailto:freeradius-users-bounces+jmdanner=samford.edu at lists.freeradius.org]
>> On Behalf Of McSparin, Joe
>> Sent: Friday, January 06, 2012 10:18 AM
>> To: FreeRadius users mailing list
>> Subject: Distributing Certificates
>> Now that I have my Radius server configured I need to begin
>> implementation I have 600 computers that will be using it. The
>> question I am wondering is do I have to go around and install a
>> certificate on every one of the computers and then maintain that
>> every year changing out the certificate on 600 computers or is there
>> some way that the server passes out certificates when the machine
>> logs on. Or do I have an incorrect understanding of how to
>> implement 802.1x security.
>> Joseph R. McSparin
>> Network Administrator
>> Hill Country Memorial Hospital
>> 830 990 6638 phone
>> 830 990 6623 fax
>> jmcsparin at hillcountrymemorial.org
>> This email message and any attachments are for the sole use of the
>> intended recipient(s) and contain confidential and/or privileged
>> information. Any unauthorized review, use, disclosure or
>> distribution is prohibited. If you are not the intended recipient,
>> please contact the sender by reply email and destroy all copies of
>> the original message and any attachments.
>> List info/subscribe/unsubscribe? See
> List info/subscribe/unsubscribe? See
Francois Gaudreault, ing. jr
fgaudreault at inverse.ca :: +1.514.447.4918 (x130) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org)
More information about the Freeradius-Users