Hello, I'm new to using radius servers and I have a few questions on best practices and design.
We primarily use windows 7 on the machines that will authenticate, and they are all connected to cisco switches and access points. If I understand things correctly I have the option of authenticating based on users, certificates or users and certificates. In our environment I don't see the need to add users into the mix as almost all of the machines are shared machines where multiple users will authenticate on the same machines. We also push applications to the machines when users are not logged into them so we need the computer to authenticate on its own when it boots up. >From what I understand I need to create myself a certificate and install that certificate into the freeradius server and into each of my client computers. Then I need to configure my switches to connect use the freeradius server to allow the traffic through when the client computer wants to authenticate to the network. As far as the switches goes I don't have any questions, its fairly straight forward. My questions are as follows: Which EAP type should I use if I only want the computers to authenticate using certificates? EAP-TLS? I am guessing I should be using WPA2/Enterprise on the clients for the 802.1x authentication on the Windows 7 clients? And set it to use computer authentication only? Do I need a signed third party certificate or can I use a self signed one? Could a user not just export the certificate from the computer and import it into there own computer, configure there network settings and get on the network? Or is there a mechanism to keep people from doing this? Perhaps a password encrypted in the certificate? Is there anything else I am missing? Thanks, Dan. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html