Restricting users to AD domain computers

Alan DeKok aland at
Thu Oct 11 14:17:20 CEST 2012

Bryce Mackintosh wrote:
> I'm currently using FreeRadius to control access to our wifi network
> with PEAP-TLS, and authenticating users against their AD accounts. I now
> need to somehow additionally restrict the users wifi access to only the
> machines that are joined to the Windows domain, and not phones, ipads,
> etc, and do this in a reasonably secure fashion.

  That's not how EAP works.  If they authenticate, they're authenticated.

> There are a couple of hundred laptops involved, so I'd like to avoid
> having to do much in the way of client-side configuration, but I suspect
> that client certificates may be the only answer. I've been searching for
> a number of weeks, and I haven't found any other real solution.

  Whitelist the good devices, and disallow anything else.

  Alan DeKok.

More information about the Freeradius-Users mailing list