Hi thx for replies.

Why would you recommend me peap wit mschapv2 rather than eap-tls.

my problem in addition is that i cant update my wlc 4402 because i am out of warranty.

The reason for single side server certs is for you head. If you have to deal with all those client certs and manage them every single time a device is lost or stolen, your head will explode. By using PEAP or even the old legacy LEAP, you don't have that headache. Simpler management=fewer tylenols taken.

but the headache for Security lack will i have it or is it more or less the same security level.

Exactly.... I worked on a project once doing eap-tls......NEVER AGAIN.

You have to look at it this way. Do you have a Root CA configured. If you do or you don't, you should see what MS best practice for having a CA... You will need Excedrin for tension headaches.

I have to reach the result that the guys (students)using their (schoolowned)notebooks are not able to insert other personal notebooks. Is peap good for that?

So using peap how do i have to configure the stuff f.i. my CA?

That's a whole different scenario now. I would probably utilize PEAP for authentication and a MAC filter for association purposes. You could also validate a machine against RADIUS but again that could turn into a lot of work. Either way, the machine would be controlled and authentication would take place at a much more secure level.

i heard mac filters are not secure because the mac can be changed.

OK. Let's talk security here. The mac filter is not security. It is a method to dictate which laptop is allowed to associate to your access point. After the laptop has associated the user logs in to the network via PEAP and is authenticated. If the authentication fails, the user is not allowed a session on the network. This protects you if somebody steals the laptop they can't login to the network because their authentication fails. Never uses MAC filters as security, only access control.

but what if the guy takes another laptop changes the mac and copy the certificate (if possibe dont know) and log with his username and password. would it work?

hmmmm changes the MAC. That CAN be done but only by a very experienced computer guy and the laptop has to be using a flavor of linux. Windows OS does not allow for modification of mac addresses. Even if he gets access to the MAC he doesn't have the logon credentials to defeat your PEAP authentication. So what has he gained? A whole lot of work for absolutely no reward. I'm just trying to make life easy for you here. Certificates will work as well but Jeez at the headaches of managing certificates.

Here is the configuration for using PEAP to authenticate the machine instead of the user.

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00801df0e4.shtml

ok will do. so you would not recommend eap-tls because of the huge amount of more work. and the same security level.

The peap mschapv2 just works only the certificate commponent doesnt work so i have to work on this.