On Sun, 31 Jan 2010, Fajar A. Nugraha wrote:
On Sun, Jan 31, 2010 at 12:09 PM, Mike Diggins <[email protected]> wrote:
Why self signed versus CA signed? Ideally I would like my clients to not
be questioned about the certificate at all. Is that even possible with WPA?
If I purchase a CA signed cert, would that eliminate the requirement on the
client to acknowledge the certificate or import it?
It would also mean that anyone could go to the same CA, get a client
certificate and would be able to login to your wireless network. Not really
ideal IMHO ;)
But I don't plan on distributing client certificates for authentication. I
intend for them to login with a username and password checked against my
Radius server, so I'm not sure what role the certificate plays in that
process?
I think the recommendation made perfect sense when you require client
certificate, like when deploying EAP/TLS. If you intend to use EAP as
a secure tunnel only, and login with user/password (like with
PEAPv1/EAP-GTC), using a CA-signed cert might make more sense.
In the Windows WPA setup screen, Protected EAP Properties, there are
options to "Validate server certificate", and "Connect to these servers".
Do I specify my two Radius servers there? My clients don't have direct
access to my Radius servers, so what actually happens when I enter them
here? Does it just compare the FQDN to the one on the certificate that is
presented during the login?
-Mike
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
