Hi, > We don't want to install certificates on the clients, but the problem
in that case, just get your RADIUS server signed by a CA that is already on the clients....something like Thawte, Verisign etc. ie spend some money. if you dont want to spend some money, use your own self-signed CA (closed-loop authentication) and use a client deployment tool to get the CA onto the systems (this is trivial with GPO in an activedirectory controlled domain). think of the RADIUS server cert like that for an online bank. when you go to an online bak web site, the HTTPS is via a known certificate that your client trusts....and DNS can be used to map the name requested to an IP address....and the name of the server matches your request and the certificate name matches the DNS entry. you can even use DNSSEC to ensure that the IP you got was handed out by the domain you wanted... all good. with RADIUS there is no layer 3 activity etc for the client...no DNS available etc.. so you can only take what you are given by the RADIUS server...and then match that to your local rules/settings - so, you verify the server cert, verify the CN you were given..and finally , verify the CA that sent that cert. > used for the active directory. So is it only secure to connect to the AD > when checking the certificates? Or is there another possibility to make > it secure without installing certificates? you can connect to the AD when checking the cert or when not checking the cert. if you do the former, then you are secure... if you dont check the CA then why even bother with 802.1X or security at all - you are leaving your network wide open to attack and abuse... i'll set up a rogue AP and just harvest peoples credentials...which I'll them use to access all the bits I need (there are live CD distros with such tools ready to go using internal wireless card on a laptop). - of course, when I say I'll set up, thats hypothetical...i have better things to do ;-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
