2 issues 1) is there a listing somewhere of all OIDs and what they all mean to windows (XP) ?
2) Issuing client certs isn't that difficult. with windows vista/7, installing a cert is a simple double-click operation, so if they have a usb flash, you can use linux to zip a copy of their private key and a .doc with instructions (including screenies!) on configuring their OS in a matter of seconds, all they have to do is stop by IT to request a key once, and it's good for as long as you honour it. On Thu, Jan 20, 2011 at 3:10 PM, Alan Buxey <[email protected]> wrote: > Hi, > > > > To clarify, they can pretend to be a valid server, because *anyone* > signed by Verisign is a valid server. > > > > > To go one step further, they can have verisign sign a CA, and then use > that CA to create *any* certificate they want, > > > including one which pretends to be your server. Most users won't > bother reading the entire certificate chain. > > > They'll just see "mit.edu" (or >whatever) and click "OK". > > > > Ahh , I see what you mean. Thank you for the clarification. The masses > of undereducated and/or apathetic users out there are the biggest challenges > facing IT pros. > > aye. this is why a self-signed cert can be beneficial...its a closed-loop > system > then - only your own users ever authenticate against your server (ie use > the > SSL cert to create an EAP tunnel to do things) - external users/visitors > would > be proxied off to their home site (eg if using eduroam) - so you dont need > to > worry about them getting the CA onto their system. > > you can shore things up a bit by ensuring that the clients are configured > to > only trust the CA you've chosen...and filled in the RADIUS server name > (well, > its CN from the SSL cert it provides when making the tunnel). but, once > again, thats getting things done right... most users with most OS's will > just click on the SSID and fill in basic details when prompted (I guess > at least a lot of pain is now gone from 802.1X network connections....quick > and dirty). > > PS dealing with public CA's isnt always so clear cut and quick - sometimes > the OS needs to be updated/patched before the CA is available...or updated > CA is supplied...and sometimes the train of trust changes so what was a CA > becomes an intermediary etc - so you have to deal with those cases too. > > PS as already said, the extensions you need are documented and provided > in the 'xpextensions' file - they're basically how windows decides > 'purpose' > of the cert. tiresome really. > > alan > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html >
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
