I've currently got a single host configured to have a certificate, the
certificate is issued on a per-host basis. I want to somehow link a
specific machine to a specific ssl certificate. it's my understanding
that openldap or mysql can do this. I'd prefer not to use mysql as the
mysql authentication server is already running on a separate server from
my radius server, and I want the radius server to be self-sufficient.
the load is low enough to sustain this, but I'd also prefer not to
maintain 2 mysql servers separately. ergo, mysql is a last resort
solution. that leaves openldap.
I should say now I'm authenticating wireless clients over wpa2 +
eap-tls. I'm still looking for a fairly simple "install a
keypair+cacert on a client and it just works from then on", but I'd like
to register in openldap that a given host (identified by some
combination of name, mac address) is permanently tied to a given
certificate. If the host and certificate don't match, I'd want to get
some sort of notification in the logs or an e-mail alert or similar.
what I don't want is for users to have to maintain any sort of
"password" or "username" to connect to the wireless network. we're not
using passwords now, we don't want to add complexity to the user side.
I'm not really sure how to accomplish authorizing a certificate that's
already passed tls authentication, but if it's possible, I know you
folks will be able to point me to a guide or provide some input as to
how to accomplish this.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
