Hi all, I need help thinking my deployment plans through. I hope folks on the list will help me clarify my thinking.
I intend to setup .1X access control on our LAN via freeradius. Here's what this would look like. Windows 2003 Standard Ed/Active Directory <=>Winbind/Samba <=>Freeradius <=> NAS <=> <PEAP/MSCHAPV2> <=>Windows XP/sp2 work stations. I'd like to enforce network access by making freeradius check for host certificates (by using 'EAP-TLS-Require-Client-Cert = Yes' under the PEAP section in eap.conf). So that only computers with valid host certs AND domain credentials will be allowed port access via the NAS to the LAN. My understanding is that best practice says that each computer cert should be unique. I think I could use two approaches to creating certs, and getting them to the client. Here's the two alternatives I think would work: Scenerio # 1 For 300 host machines on LAN 1. from the /certs directory use the MAKE scripts to generate a unique client.pem using the FQDN of each host. 2. copy and install host cert (fqdn.pem) and ca.der to each windows xp/sp2 client This would all be done by hand e.g. we would need to sit down at every host and install the cert. If this general outline is correct which file on freeradius would we remove if we wished to revoke a hosts certificate? If I am way off base here, I'd love to get corrected. Is there anyway to automate this procedure in our LAN environment other than scenario #2 below? Scenario #2 In order to auto-magically distribute unique computer certs to Windows 2003 domain members I understand that Windows 2003 Enterprise Edition has the ability to create a template certs and roll a unique cert for each host joined to the domain. And also to push the customized cert to each domain members via GPO. However, we don't currently run Win2k3 Enterprise edition but we would consider buying it if we thought that it would save us a lot of time for installation and future management of certs. Using this approach I think we would need to do the following. 1. from the /certs directory use 'make server.csr' to create a Certificate Signing request which we would then import to our Active Directory CA. 2. We would need to follow the steps outlined here http://lists.freeradius.org/mailman/htdig/freeradius-users/2006-October/msg00515.html to get our server cert which we generated on Freeradius signed by the Active Directory CA. 3. We could then import that signed cert into AD for automatic distribution and enrollment per http://www.wicked-styles.com/bitsandpieces/articles/enterprise_wi-fi_security/index.html I hope folks can help fill in the missing pieces here and also let me know which approach makes sense given the number of clients we have and the environment I've outline above. Has anyone had any experience with either scenario? Is there a better way than the ones I've outlined? Thanks very much! John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
