Thanks for responding.
The forum is great, but sometimes its useful just to have someone else to call and bounce ideas off. Be useful to build a community of like minded people just to chat some times - so open for a call anytime.
So, I could be wrong here, and perfectly happy to be wrong as simply just want to get the right answers, feel free to shoot me down :)
I am also completley splitting hairs here, and get what you are saying and know that would indeed work, but you can still get my laptop on that network because its not machine AND user auth.
The first step if configured properly would do machine NTLM based authentication, perfect, only a corporate machine will get on. When logging in as a user though you are still just doing user authentication and then simply doing hostname (lookup) authorisation based on the rule you’ve created.
So, an example might be an emplyee who has a corporate machine and also thereby has a AD account. They decide to bring in their laptop and connect it to the corporate network. They simply change the hostame of the laptop to match their current machine. When they connect it will fail machine authentication, BUT they will presented with the username and password buble for PEAP based authentication of which they will enter their AD credentials. The laptop will then get on the network because the user passed authenticaiton and the hostname passed authorisation because it simply just matches the name based on the end-system configuration, because the hostname is doing authorisation not authentication of the machine. Think I could do the same with my IPhone connecting to wireless, just change the phones name to match a matching hostname that exists in AD of that group, put in my username and password and I’m in.
Again, that is a little over the top but my point is that either using certificates or doing machine AND user authentication is the only way to overcome the porblem of allowing only corporate machines on the network when using some kind of user authenticaton.
Well kind of hoping not, and hopeing someine will put straight on my theory and there is a way around it.