> 1: Can freeradius do a "certificate" authentication? (ie: we give each > user a certificate that the machine gives for auth)
if your access point supports 802.1x then yes, you can use this method with freeRADIUS. The clients-machines must have an 802.1x client (supplicant). Use EAP-TLS on freeRadius. > 2: Can i use all three (ie: i give server cert, it asks for user/pass > and verifies against cert, then checks MAc addy. All must match in > order to auth.) Depending on the Access Point you might be able to check the MAC-Addy: add it as a check-item if your AP sends the client MAC (usually the calling-station-id attribute. Not sure if you can mix username/pass and certificates, but thats getting real paranoid!! > I know it seems like a bit much but these are public networks and > would like to keep unauthed use to min. Thanks for any input. If its a public network, then certificate-management and MAC address management might be an issue that you may want to consider: each time your user uses a different card, or computer you need to re-configure his MAC address. You also need secure ways of providing certificates to the user, revoking certificates etc. MAC spoofing is trivial on most systems so you may want to stick with username/pass or EAP-TLS (secure, but needs 802.1x support in the AP, and a little work on the client machine to install the certificate). -Puneet _______________________________________________ No banners. No pop-ups. No kidding. Introducing My Way - http://www.myway.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
