> So are the following correct?: > > (1) I can create a single cert for a computer and distribute it to all > users who may use that computer
You can give same user certificate to any user using the computer - you can place it on the desktop with installatioon instructions. But don't you hear a voice in your head: "what is the point of these certificates?". > (2) I can create a cert for every user and distribute it to every > computer that a user logs into. Yes. In normal circumstances such user will have his certificate on the smart card and computers will be equiped with reders. So, user certificate is with the (mobile) user, not any possible computer he might use. > (3) I cannot create a generic "computer cert" that authenticates the > computer and opens the port? Yes, you can. But as soon as some user logs onto that computer ... Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html