> I want machine security for machines owned by the school district. > That way only school machines can be on the Lan. > Student machines won't get the cert installed on their machines so > they won't be able to answer the challenge from the CA, right? Am I > missing your argument?
Ah, that's how it's going to work. You probably don't need machine certificates. Students will just pinch them and install them on unauthorized machines. You will still have to check mac addresses (Calling-Station-Id). So, drop machine authentication completetly and match Calling-Station-Id on user authentication. You can tie a user to a single machine or even a group of machines with huntgroups/sqlhuntgroups. Doing more than that significantly inceases the workload - for very little benefit. > > Is there some difference between a "machine cert" and a "client cert" No. It's just whose details are on the certificate. > ? If so is there some direction about how to manufacture and install > them? > Same as the ones for users. > I believe you. Assuming I collection of those switches wouldn't I also > need a management server to manage dynamic vlan assignment? Sort of. Freeradius would be that "management" server. VLAN IDs will be in user/group entries. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html