Thank you for the quick reply. Would you recommend doing anything differently? Perhaps a different EAP type?
If I wanted redundancy should I just setup a secondary radius server with the same settings and add it to the list of servers that are available? Thanks, Dan. On Thu, Feb 2, 2012 at 1:16 AM, Alan DeKok <al...@deployingradius.com> wrote: > Dan Letkeman wrote: >> From what I understand I need to create myself a certificate and >> install that certificate into the freeradius server and into each of >> my client computers. > > Yes. > >> Then I need to configure my switches to connect >> use the freeradius server to allow the traffic through when the client >> computer wants to authenticate to the network. > > No... you need to configure the switches to use 802.1X authentication. > They will then automatically allow traffic for authenticated devices. > >> My questions are as follows: >> >> Which EAP type should I use if I only want the computers to >> authenticate using certificates? EAP-TLS? > > That will work. > >> I am guessing I should be using WPA2/Enterprise on the clients for the >> 802.1x authentication on the Windows 7 clients? And set it to use >> computer authentication only? > > That will work. > >> Do I need a signed third party certificate or can I use a self signed one? > > You can use a self-signed certificate. See the Wiki for an EAP-TLS > "howto". > >> Could a user not just export the certificate from the computer and >> import it into there own computer, configure there network settings >> and get on the network? Or is there a mechanism to keep people from >> doing this? Perhaps a password encrypted in the certificate? > > There is nothing to prevent the user from exporting the certificate. > >> Is there anything else I am missing? > > No. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html