>> I know the docs also say that it is not best practices to use a >> publicly signed cart because ANYONE can auth against the server, >> however since I am in a position where almost all of the computers >> will NOT be managed by our staff (they are student workstations) a public >> cert seems perfect.
>It's not a good idea because anyone can pretend to be the server, too. Hmmm. I hadn't thought of that attack vector, kind of like a man-in-the-middle attack, but isn't that what the private key is for, to prevent just that? Jake Sallee Godfather Of Bandwidth Network Engineer Fone: 254-295-4658 Phax: 254-295-4221 -----Original Message----- From: freeradius-users-bounces+jake.sallee=umhb....@lists.freeradius.org [mailto:freeradius-users-bounces+jake.sallee=umhb....@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Thursday, January 20, 2011 1:13 PM To: FreeRadius users mailing list Subject: Re: Generating a Microsoft compatible CSR for FreeRADIUS Sallee, Stephen (Jake) wrote: > The documentation mentions special OID’s that need to be present for > MS machines to accept the cert, but I can’t find WHAT those OID’s are > so I can make sure I include them in the CSR. See the files in raddb/certs, or read eap.conf. It's all there. > I know the docs also say that it is not best practices to use a > publicly signed cart because ANYONE can auth against the server, > however since I am in a position where almost all of the computers > will NOT be managed by our staff (they are student workstations) a public > cert seems perfect. It's not a good idea because anyone can pretend to be the server, too. > If anyone has another route that will allow me to auth windows clients > without having to manually install certs and/or manually configuring > the wireless adapters I would be very grateful to hear your suggestions. Not much. Blame Microsoft for not making it easy. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
