Hi John thanks for taking the time to reply, > > Ask the question "Who are you authenticating?" or "What has permission to > use the network?" Am I trying to restrict access to a specific set of users > or am I trying to restrict access to a specific set of machines? If it's the > later does that mean anyone who sits down at that machine has access? >
In this instance I am trying to the network so that only computers which carry a credential are allowed to have port access. My users credentials are managed via Active Directory and I am trying to avoid issuing user certs if possible. More specifically we have a number of computer labs where users are in the habit of bringing in computers from home and plugging in, I'd like to prevent this. So what I am hoping to find out is that I can create a cert with the FQDN of the computer. Install it on the computer itself, and have the computer negotiate via the NAS with free-radius for access. I hope this process is completely transparent to the user. > In a very very simplified view a certificate is nothing more than a > password. Would you give the same password to every user? Would you put that > password on every machine? Sort of. I guess I see it as a sort of 2 factor auth scheme. The computer has a credential which is processed by free-radius and the user has a separate credential which is processed by Active Directory. > > > 2) The per user certificate is stored in a central location where only the > user can access it. Usually this requires OS support and another layer of > authentication. I am pretty sure that Windows XP can use a Computer Cert for dot1X auth via EAP. I've seen references to it. I've even found a mention of a registry hack that forces the computer to use machine auth for dot1X in lieu of user certs, but I am not sure how to correctly implement it when using free-radius, everythings written for IAS. > > If you want to do machine authentication then per machine certificates must > be generated and distributed (which is where your question began). There is > no easy secure way to do this for a large number of devices in the absence > of sophisticated certificate management software, this is why certificate > management software is a growth industry. I am willing to do it by hand if the process seems reasonably straight-forward. I've got about 200 machines and 1600 users, many users user multiple machines. You can see why I'd rather tackle the machines. :-> > > I'm not a Windows guy, but my understanding is that Microsoft offers > (expensive) solutions. In the Linux world you might consider DogTag > (http://pki.fedoraproject.org/wiki/PKI_Main_Page), this is the same > certificate management system used by the DoD (Dept of Defense) and other > high profile organizations which Red Hat has generously made available as > open source after it's acquisition from Netscape. Thanks for this resource. > Note that DogTag supports Auto-Enrollment Proxy (AEP) for Windows, which > allows users and computers in a Microsoft Windows domain to automatically > enroll for certificates issued from Certificate System. > > Of course if you don't want to deal with the complexity of certificate based > authentication you could just use passwords. Passwords are much less secure, > but much simpler. Yes but then we're back to the problem of a user just providing domain credentials to gain port access. I can imagine a student downloading secure-w2 or similar and providing domain credentials to get access for their laptop. Thanks again John. I appreciate your insights. John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
