Evan Vittitow wrote: > Alright, I'm going to step back and talk conceptually. The issue is that > the laptops use a combination of LDAP and Kerberos to authenticate to > the Domain Controllers.
If that's what you've designed your system to do, then it's seems to be a problem you created for yourself. > (OpenLDAP and a Kerberos KDC.) to authorize and > authenticate Humans. So you get a Chicken/Egg issue. You can't > authenticate Humans until you authenticate nodes, but a Human could not > enter MS-CHAPv2 passwords wothout logging in. Then don't design the system in a way that makes it impossible to do what you want. > I want to be able to assign a Certificate to a Host, as long as the Host > carries the certificate, it can talk on the network. The Cert should be > individualized to each host. So, I'd like to be able give a host a cert, > and then let them use the network so they can login with User/Password. > I have a working CA now. Then the laptops have to use PEAP, and your switches have to require 802.1x. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html