On Sun, 31 Jan 2010, Peter Lambrechtsen wrote:
On 31/01/2010, at 11:59 AM, Mike Diggins <[email protected]>
wrote:
I was able to get freeradius 2.1.3 and wireless WPA working, likely
due to the fact that FreeRadius was mostly configured for me
(thanks ;) ). Iām a little confused about the certificate that is re
quired in the process, and what the relationship is with the client,
the Wireless Controller and the FreeRadius server. The README file
states:
ā In general, you should use self-signed certificates for 802.1x (EA
P) authentication.ā
Why self signed versus CA signed? Ideally I would like my clients to
not be questioned about the certificate at all. Is that even
possible with WPA? If I purchase a CA signed cert, would that
eliminate the requirement on the client to acknowledge the
certificate or import it?
It would also mean that anyone could go to the same CA, get a client
certificate and would be able to login to your wireless network. Not
really ideal IMHO ;)
Hence why controlling your own CA, and managing the CRL or OCSP is the
only way to go if you want to properly maintain control over your
wireless or 802.1x wired network.
Minting certificates is pretty trvial depending on the CA software you
are using and importing a CA into every workstation is also easy using
the numerous tools available.
My preference is to use the "rootsupd" package and extract that out
and update the p7b with your own ca. Then get everyone to run that, or
use software distribution to get it out enterprise wide.
But I don't plan on distributing client certificates for authentication. I
intend for them to login with a username and password checked against my
Radius server, so I'm not sure what role the certificate plays in that
process?
-Mike
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
