On 11/14/2012 06:54 PM, Brian Julin wrote:
Phil Mayers wrote:
Yes. However, buying separate certs might not be a good idea as it will
complicate the client setup - they'll all have to come from the same CA
and share the same CN (or you'll have to rely on wildcard CN matching on
the clients).
Has that actually been tested to work across the gallery of clients? It is
No. Hence my suggestion that it "might not be a good idea" ;o)
my impression that a lot of clients (e.g. IOS) will just barf on any certificate
that isn't the first one it encountered on an SSID, unless and until the
user gets frustrated and reconfigures.
Not that I think running multiple certs offers any real benefit. Perhaps
for transitional purposes when expiry dates come up.
About the only real use-case I can think of for multiple certs is a
desire to use a hardware crypto module for "security" i.e. prevent key
exposure.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
