On 11 October 2012 14:48, Phil Mayers <p.may...@imperial.ac.uk> wrote:
> On 11/10/12 12:55, Bryce Mackintosh wrote: > > >> Okay, ignoring how I currently have things setup, how would other people >> go about controlling the users and devices on a wifi network by means of >> 802.1x, freeradius using AD for authentication and Win XP Pro SP3 >> > > We don't bother. It's not obvious why "controlling the devices" is useful. > > IT policy here requires that there's no unapproved/unsupported devices on our network. With the current test PEAP-TLS configuration anyone could use their AD account to connect any device to the wifi network, rather than just the laptops they've been issued. > clients. I'd have thought that this was a fairly common requirement in >> the enterprise world, so I'm surprised there's not an obvious solution, >> or am I missing something? At the moment it looks like we'll have to >> abandon 802.1x and go back to WPA2-PSK. >> > > Eh? How does *that* help? It's what we have currently in production, and only IT know the key, so we can at the moment control what gets on our wifi network - at least at my site > If you really want to do this, then: > > 1. Use machine auth for 802.1x > 2. Use policies *on* the machines to control the users > Management currently (they didn't initially) consider machine auth more important than user auth for access to the new wifi network. As I can only have one or the other via 802.1x, I'll focus on getting the machine auth working and go from there. -- Bryce
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html