Private key is stored on smart card in a way that it cannot be read. Computer send data to the smart card and smart card will perform cryptography with stored private key and send result to the computer. So the private key is never transported outside smart card.
You can connect a smart card to each computer. There are USB smart card readers. To avoid smart card theft you can connect reader to mother board internal usb header and mount smart card reader inside the computer case. You also need to protect each computer case with electromechanical (solenoid) lock.
There are motherboards with integrated cryptographic processor (so named trusted platform module). I think TPM should provide features similar to smart card. But I don't have one and I'm not sure.
-- Iliya Peregoudov Dan Letkeman wrote:
Ok, so there are two problems with these scenarios in our environment. We do not run AD, we run eEdirectory, and the computers are not assgined to the users, they are all shared computer labs. This is why having separate certs for each machine is impossible as we would have to go around and install each cert manually on each machine. I think I am stuck with using at best using the same cert for each computer lab. I think that would make more sense. Dan. On Fri, Feb 3, 2012 at 7:33 AM, Alan Buxey <a.l.m.bu...@lboro.ac.uk> wrote:Hi,Personally we (plan to) use PEAP/MS-CHAP, and check the machine account against AD using ntlm_auth.this is what we do for machine authentication (wired/wireless) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
smime.p7s
Description: S/MIME Cryptographic Signature
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html