Restricting users to AD domain computers

Bryce Mackintosh brycedrm at
Thu Oct 11 22:46:40 CEST 2012

On 11 October 2012 14:48, Phil Mayers <p.mayers at> wrote:

> On 11/10/12 12:55, Bryce Mackintosh wrote:
>> Okay, ignoring how I currently have things setup, how would other people
>> go about controlling the users and devices on a wifi network by means of
>> 802.1x, freeradius using AD for authentication and Win XP Pro SP3
> We don't bother. It's not obvious why "controlling the devices" is useful.
> IT policy here requires that there's no unapproved/unsupported devices on
our network. With the current test PEAP-TLS configuration anyone could use
their AD account to connect any device to the wifi network, rather than
just the laptops they've been issued.

>  clients. I'd have thought that this was a fairly common requirement in
>> the enterprise world, so I'm surprised there's not an obvious solution,
>> or am I missing something? At the moment it looks like we'll have to
>> abandon 802.1x and go back to WPA2-PSK.
> Eh? How does *that* help?

It's what we have currently in production, and only IT know the key, so we
can at the moment control what gets on our wifi network - at least at my

> If you really want to do this, then:
>  1. Use machine auth for 802.1x
>  2. Use policies *on* the machines to control the users

Management currently (they didn't initially) consider machine auth more
important than user auth for access to the new wifi network. As I can only
have one or the other via 802.1x, I'll focus on getting the machine auth
working and go from there.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Freeradius-Users mailing list