Restricting users to AD domain computers

Bryce Mackintosh brycedrm at gmail.com
Thu Oct 11 22:46:40 CEST 2012


On 11 October 2012 14:48, Phil Mayers <p.mayers at imperial.ac.uk> wrote:

> On 11/10/12 12:55, Bryce Mackintosh wrote:
>
>
>> Okay, ignoring how I currently have things setup, how would other people
>> go about controlling the users and devices on a wifi network by means of
>> 802.1x, freeradius using AD for authentication and Win XP Pro SP3
>>
>
> We don't bother. It's not obvious why "controlling the devices" is useful.
>
> IT policy here requires that there's no unapproved/unsupported devices on
our network. With the current test PEAP-TLS configuration anyone could use
their AD account to connect any device to the wifi network, rather than
just the laptops they've been issued.


>  clients. I'd have thought that this was a fairly common requirement in
>> the enterprise world, so I'm surprised there's not an obvious solution,
>> or am I missing something? At the moment it looks like we'll have to
>> abandon 802.1x and go back to WPA2-PSK.
>>
>
> Eh? How does *that* help?


It's what we have currently in production, and only IT know the key, so we
can at the moment control what gets on our wifi network - at least at my
site


> If you really want to do this, then:
>
>  1. Use machine auth for 802.1x
>  2. Use policies *on* the machines to control the users
>

Management currently (they didn't initially) consider machine auth more
important than user auth for access to the new wifi network. As I can only
have one or the other via 802.1x, I'll focus on getting the machine auth
working and go from there.

--
Bryce
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20121011/13e9029f/attachment.html>


More information about the Freeradius-Users mailing list