> >> (3) I cannot create a generic "computer cert" that authenticates the >> computer and opens the port? > > Yes, you can. But as soon as some user logs onto that computer ... > > Ivan Kalik > Kalik Informatika ISP
Thanks for the reply Ivan. I am fine with folks logging in and having access from computer that have already been authenticate via a computer certificate. If my users make it that far they have domain credentials and are supposed to be there. What I am trying to prevent is users from bringing their laptops from home and plugging them into a spare port (or removing the cable from the back of a school computer) in one of our computer labs. I am pretty sure I can put a cert into the computer that will authenticate the computer *before* a user even logs in. Once they provide their domain credentials they should have access to all the services we provide int the lab. I am having a hard time figuring out how to make this work. Where/how does the cert get imported. Do I need to make a registry change in KEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Parameters\General\Global to make this work? I hope this is the part someone on the list will have done before and be able to guide me or point me at a howto. Thanks! John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html