> > > > > 1) Would PEAP/EAP-MSCHAPv2 with client certs accomplish my goal? > > No. Because your problem has nothing to do with authentication (methods). > Your problem is with authorization.
Thanks for your reply. I am not sure I understand your distinction, sorry for my ignorance. I want my users to have to supply both a valid domain user/password combo AND I want their computers to prove that they are allowed on the lan. My understanding of the PEAP/EAP-MSCHAPv2 + cert approach was that my users (and their computers) would need both sorts of credentials in order to use the lan. > > > > 2) Is there a better approach? > > That depends on your hardware. If your switches support port based > authentication and dynamic VLAN assignment via radius you can make this > work. The switches are configured to use dot1x. Is that what you mean? I am not using dynamic vlans. My intention is that users who sucessfuly authenticate will by switched according to the vlan rules in place on the port on the NAS. > > > > 4) Eventually I'll want to extend this approach to wireless devices so > > that > > trusted computers will get LAN services while untrusted computers with > > valid > > user credentials will be handed off to a different VLAN. > > Same principle applies. But authenticating devices is not very wise. It's > far better to authenticate users. Does my explanation above make this moot? > > > And it is far better to have equipment that places unauthenticated users > in a guest VLAN, than to break authentication and make radius accept users > that fail authentication. Understood. Thanks again. I'll be interested to read your reply. John
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html