On Fri, Dec 07, 2012 at 12:39:13PM -0600, Dan Letkeman wrote: > Sorry, I was not clean with my setup information. We do not have a domain, > these are stand alone windows 7 devices. We also have some tablets and > some linux boxes. Concern right now is the Windows 7 devices. I didn't > know that you cannot do machine authentication without a domain....
You can, but you'll need to handle the certificates on the hosts manually. That's usually such a pain that the only real solution is to use AD. If you've got a small number of devices, or can write some other automated method of deploying certs, then it can be possible to handle. What you /can't/ do is both User auth (mschap - username + password) *and* Computer auth (certificates - EAP-TLS) in the same connection, as the default Windows supplicant, like most, doesn't support client certificates with PEAP (and user auth - mschap - needs to be inside PEAP). > User authentication in my environment is just not an option because all of > the devices need to have a connection to the network at all times even if > nobody is logged in. Should I be using PEAP/EAP-TLS instead? There are no good reasons for doing PEAP/EAP-TLS unless you want to use SoH. PEAP adds overhead to the auth, with no added benefit. > If so do you know of any good setup documentation for that? I wrote up how to do PEAP/EAP-TLS a while back - you can find it here: http://q.asd.me.uk/pet That said - your connection is trying to do PEAP, so you've configured your client for either 'certifiates' or mschap inside PEAP. I forget the exact options in the interface, but you need to choose 'certificates' rather than 'PEAP', then select the client certificate that you want to auth with - which will be one that is signed by the same CA that the CA_file option in your FreeRADIUS eap.conf file points to. Make sure it's set to 'Computer' auth, not 'User' or 'User + Computer'. In theory, you'll then find that it Just Works. But the Windows config interface takes a bit of head scratching to get around until you understand what it's doing under the hood. Cheers Matthew -- Matthew Newton, Ph.D. <m...@le.ac.uk> Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ith...@le.ac.uk> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html