On Fri, May 8, 2009 at 2:27 PM, Arran Cudbard-Bell <[email protected]> wrote: > On 8/5/09 22:02, Ivan Kalik wrote: >>> >>> I want machine security for machines owned by the school district. >>> That way only school machines can be on the Lan. >>> Student machines won't get the cert installed on their machines so >>> they won't be able to answer the challenge from the CA, right? Am I >>> missing your argument? >> >> Ah, that's how it's going to work. You probably don't need machine >> certificates. Students will just pinch them and install them on >> unauthorized machines. You will still have to check mac addresses >> (Calling-Station-Id).
If that's the case what's the purpose of machine certs? Are they really that easy to steal from a XP/sp3 box joined to AD? Our end users are pretty constrained by GPO (no command line etc) >> So, drop machine authentication completetly and >> match Calling-Station-Id on user authentication. You can tie a user to a >> single machine or even a group of machines with huntgroups/sqlhuntgroups. >> Doing more than that significantly inceases the workload - for very >> little benefit. I am willing to do that if the consensus is that is the current best practice. I was working under the assumption that the way folks using freeradius typically secured their lans was via a combination of dot1x, freeradius, and certs on the users hosts. So I guess my question now is more fundemental. What's the proper approach to take to secure wired clients using freeradius and dot1x? Perhaps I should start a new topic? John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
