This is a recurrent PKI question. At the end it's sooooo simple. If you generate a self-signed certificate (aka using the default server certificate of RADIUS), then you need to push the server's CA to all your PCs in order for them to trust the server certificate OR unselect the "validate server certificate" option on all your nodes.
Now you have two options for a REAL 802.1x deployment to work: - Get a publicly signed (ie. Verisign) certificate, and drop that as your RADIUS server certificate. Downside, anybody could act as a rogue AP. Upside, no CA to push anywhere as it's already in all your PCs. - The recommended option is the use a real PKI structure. If you are on AD, you have that already, so use it!!! Generate a server certificate and sign it with your AD root certificate. The AD certificate should be already on all nodes joined to your domain. Francois On 1/14/2014, 2:25 PM, Jason Frisvold wrote: > Thomas Tsai wrote: >> In a windows 802.1x standard implementation, have any of you been able >> to successfully implement the certificate check for 802.1x via PF? >> >> Looks like the digital certificate used for freeradius needs to be >> updated to a trusted CA for this to occur. Have any of you had success >> creating a CSR process to do this? >> >> Is the cert used listed under /usr/local/pf/conf/radius/eap.conf? I’m >> not sure how to generate this correctly. > Yep. It's a standard apache cert, so generate a csr as you would for an > apache server. Put the key (with no passphrase), the certificate, and > the CA in the conf/ssl directory. Add the proper filenames to the > eap.conf. You'll need to add the CA config as well : > > private_key_file = %%install_dir%%/conf/ssl/server.key > certificate_file = %%install_dir%%/conf/ssl/server.crt > CA_file = %%install_dir%%/conf/ssl/CA.crt > > -- Francois Gaudreault Architecte de Solution Cloud | Cloud Solutions Architect [email protected] 514-629-6775 - - - CloudOps 420 rue Guy Montréal QC H3J 1S6 www.cloudops.com @CloudOps_ ------------------------------------------------------------------------------ CenturyLink Cloud: The Leader in Enterprise Cloud Services. Learn Why More Businesses Are Choosing CenturyLink Cloud For Critical Workloads, Development Environments & Everything In Between. Get a Quote or Start a Free Trial Today. http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
