> But what you can do is largely dependant > on what NAS supports Thanks for the explanation.
> >> I want >> my users to >> have to supply both a valid domain user/password combo AND I want their >> computers to prove that they are allowed on the lan. My understanding of >> the >> PEAP/EAP-MSCHAPv2 + cert approach was that my users (and their computers) >> would need both sorts of credentials in order to use the lan. > > Yes, but that would be machine, not client (user) certificate. So machine > will be checked with certificate and user with username/pass. In two > separate authentication sessions (when machine is switched on/ user logs > off - machine authentication; when user logs in - user authentication). Ok. So is a machine cert different than a client cert? Can I have a single machine cert for all machines, or do I need to generate one for every machine. If so does that simply mean I edit the client.cnf with the FQDN of the machine in question. With several hundred machines on the domain this sound painful. Would I then set my XP clients who are connecting by wire to use EAP type "Smart Card or Other Certificate"? or would they continue to use PEAP MSCHAPV2? And would I continue to try and force the freeradius server to do certificate checking via eap.conf? I haven't found a good howto on this. It seems that most folks are concerned about using freeradius with WPA supplicants. The process seems a bit different for computers who's must be valid as well. > >>> > 2) Is there a better approach? >>> >>> That depends on your hardware. If your switches support port based >>> authentication and dynamic VLAN assignment via radius you can make this >>> work. We're looking at using used HP 2650's but I'd be interested in knowing your recommendation for high density switches for Lan environments with robust dot1x support. > And how are you going to stop students from plugging into the ports they > feel like? > You can paint them in different colours, do what you like - > students will still plug into the "wrong" ones. The NAS are located in server closets so the students would be plugging into ports in classrooms. Since they wouldn't have a machine cert they'd get no joy, right? Or better - how is admin > going to get onto the admin VLAN from a port "allocated" to students? Use > dynamic VLAN assignment. I like the idea but currently don't have equipment that supports this AFAIK. Again, what would you recommend in terms of hardware? As always, cost is an issue :-> I appreciate your help! john - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html