Hi, > If you're using a private CA for signing the radius server certs, which > is generally cited as best practice because it provides belt & braces; > in the event a client does not learn & subsequently re-check the cert > CN, a public CA would allow an attacker to impersonate your SSID. A > private CA does not. > > Some people (us included) choose to use a public CA and accept the risk, > in return for significantly easier deployment.
private CA pros -under full control of organisation -the organisation only can sign servers -for 802.1X your clients only need to trust your server - closed loop. so why use public? cons -CA management - skillset, can someone do the same in X years? -distribution of the CA to the client Public CA pros -most clients have the CA already present -no need to learn about CA/PKI to such low level cons -under whims of the CA and their issues (recall the dutch CAs now revoked and now invalid) -under whims of the remote CA policy (changing from being a root to intermediate) -anyone can buy a certificate from a CA -distribution - some CAs arent on clients..so you need to distribute it anyway personal opinion CA distribution was always the issue for private CA - but most sites now go for using a deployment tool of some kind to get clients set up - and all of them can deal with installing a CA, so thats a problem gone. the system is closed-loop, visitors never need to trust your RADIUS server cert...only your own folk do - so why use public in this space? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
