Hello all, I want to deny any untrusted computer access to our lan. Lately we've had a lot of students and staff bring laptops into our school and plugging them in to any convenient network port. I want only users with domain credentials using trusted computers on the LAN. My test setup looks like Active Directory <=> winbind <=> Freeradius <=> NAS <=> Supplicant
I think that using PEAP/EAP-MSCHAPv2 with client certs may be a reasonable way to proceed but I would like to get a sanity check from folks. 1) Would PEAP/EAP-MSCHAPv2 with client certs accomplish my goal? 2) Is there a better approach? 3) I am not clear on how to force checking of the client cert. I enabled "EAP-TLS-Require-Client-Cert = Yes" under the PEAP section of the eap.conf file but my WindowsXP client was still allowed to authenticate without specifying a root CA. Am I missing the point, if so please guide me. 4) Eventually I'll want to extend this approach to wireless devices so that trusted computers will get LAN services while untrusted computers with valid user credentials will be handed off to a different VLAN. Thanks for your help! John
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html