. > > That depends on capabilities of your equipment. This how Cisco implements it: > > www.cisco.com/univercd/cc/td/doc/solution/macauthb.pdf > > Other vendors have more on less the same. It is enabled on some models and > not on others.
Thanks for this. > >> So this policy would check the huntgroup that the NAS was a member of >> and then go on to check if the users was part of the proper >> Ldap-Group and assuming that both were true then access would be >> granted. I am still not clear how some hunt groups will always >> require a host cert and others never will. Is this set in the hunt >> group? > > No, on the equipment. Your setup is such that you have to enforce > (enable/disable) it on hardware. If you would require certificates for > access to all hardware you could enforce it with AD Group Policy. Like > this students don't need machine certificates for wireless access. So, you > should enable mac auth bypass on your student APs. Most APs should have > such feature.You should make students register mac address of their > wireless equipment if they want to connect. Hmm. I don't think I like this approach for a couple of reasons, perhaps you can let me know if I am thinking about this incorrectly. We already use mac address as an auth scheme and I want to move away from this because of the ease of mac spoofing in a wireless environment. That's why I hoped to move to username/password authentication with WPA2 that was centrally managed via freeradius <=> Active Directory. I currently have a fairly central way to manage access by mac, but I would have to give that up if I had to maintain a mac address table on each NAS. I guess I could add a list of allowed mac addresses in the freeradius/users file and maintain it from there? Just so I understand you clearly, we can't have 1 class of users who must use host certs via NAS A and another class of uses who never have to use certs via NAS B on the same freeradius server? If that is the case I think I might want to set up a second instance of Freeradius and point the NAS that don't require host certs at that one. I could simply mint another virtual freeradius instance in freeradius/sites-enabled couldn't I? If I have this all muddled up, I hope you'll straighten me out. Thanks for all of your help. John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html