> I want to deny any untrusted computer access to our lan. Lately we've had > a > lot of students and staff bring laptops into our school and plugging them > in > to any convenient network port. I want only users with domain credentials > using trusted computers on the LAN. > My test setup looks like Active Directory <=> winbind <=> Freeradius <=> > NAS > <=> Supplicant > > I think that using PEAP/EAP-MSCHAPv2 with client certs may be a > reasonable > way to proceed but I would like to get a sanity check from folks. > > 1) Would PEAP/EAP-MSCHAPv2 with client certs accomplish my goal?
No. Because your problem has nothing to do with authentication (methods). Your problem is with authorization. > 2) Is there a better approach? That depends on your hardware. If your switches support port based authentication and dynamic VLAN assignment via radius you can make this work. > 4) Eventually I'll want to extend this approach to wireless devices so > that > trusted computers will get LAN services while untrusted computers with > valid > user credentials will be handed off to a different VLAN. Same principle applies. But authenticating devices is not very wise. It's far better to authenticate users. And it is far better to have equipment that places unauthenticated users in a guest VLAN, than to break authentication and make radius accept users that fail authentication. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html