On 8/5/09 22:02, Ivan Kalik wrote:
I want machine security for machines owned by the school district.
That way only school machines can be on the Lan.
Student machines won't get the cert installed on their machines so
they won't be able to answer the challenge from the CA, right? Am I
missing your argument?
Ah, that's how it's going to work. You probably don't need machine
certificates. Students will just pinch them and install them on
unauthorized machines. You will still have to check mac addresses
(Calling-Station-Id).
Which students will pinch, and use to administratively override the MAC
addresses of their laptop NICs? ;) Hell you can do it in ifconfig if
your driver supports it (hw class address ether).
Surely file permissions on Windows Machines can't be *that* broken.
So, drop machine authentication completetly and
match Calling-Station-Id on user authentication. You can tie a user to a
single machine or even a group of machines with huntgroups/sqlhuntgroups.
Doing more than that significantly inceases the workload - for very
little benefit.
Is there some difference between a "machine cert" and a "client cert"
No. It's just whose details are on the certificate.
? If so is there some direction about how to manufacture and install
them?
Same as the ones for users.
I believe you. Assuming I collection of those switches wouldn't I also
need a management server to manage dynamic vlan assignment?
Sort of. Freeradius would be that "management" server. VLAN IDs will be in
user/group entries.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Arran Cudbard-Bell (a.cudbard-b...@sussex.ac.uk),
Authentication, Authorisation and Accounting Officer,
Infrastructure Services (IT Services),
E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT
DDI+FAX: +44 1273 873900 | INT: 3900
GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
