Thanks Francois for answering. I was wondering more along the lines of the fact that all workstations in a domain have a trusted CA cert from the internal domain CA, and whether there was a way to provision a subordinate CA cert to use in conjunction with freeradius to avoid having to import the certificate into the client.
In the end it sounds like I may be stuck generating a generic cert for this purpose and importing it in. -----Original Message----- From: Francois Gaudreault [mailto:[email protected]] Sent: Tuesday, January 14, 2014 12:30 PM To: [email protected] Subject: Re: [PacketFence-users] Cert question: 802.1x windows authentication This is a recurrent PKI question. At the end it's sooooo simple. If you generate a self-signed certificate (aka using the default server certificate of RADIUS), then you need to push the server's CA to all your PCs in order for them to trust the server certificate OR unselect the "validate server certificate" option on all your nodes. Now you have two options for a REAL 802.1x deployment to work: - Get a publicly signed (ie. Verisign) certificate, and drop that as your RADIUS server certificate. Downside, anybody could act as a rogue AP. Upside, no CA to push anywhere as it's already in all your PCs. - The recommended option is the use a real PKI structure. If you are on AD, you have that already, so use it!!! Generate a server certificate and sign it with your AD root certificate. The AD certificate should be already on all nodes joined to your domain. Francois On 1/14/2014, 2:25 PM, Jason Frisvold wrote: > Thomas Tsai wrote: >> In a windows 802.1x standard implementation, have any of you been >> able to successfully implement the certificate check for 802.1x via PF? >> >> Looks like the digital certificate used for freeradius needs to be >> updated to a trusted CA for this to occur. Have any of you had >> success creating a CSR process to do this? >> >> Is the cert used listed under /usr/local/pf/conf/radius/eap.conf? >> I'm not sure how to generate this correctly. > Yep. It's a standard apache cert, so generate a csr as you would for > an apache server. Put the key (with no passphrase), the certificate, > and the CA in the conf/ssl directory. Add the proper filenames to the > eap.conf. You'll need to add the CA config as well : > > private_key_file = %%install_dir%%/conf/ssl/server.key > certificate_file = %%install_dir%%/conf/ssl/server.crt > CA_file = %%install_dir%%/conf/ssl/CA.crt > > -- Francois Gaudreault Architecte de Solution Cloud | Cloud Solutions Architect [email protected] 514-629-6775 - - - CloudOps 420 rue Guy Montréal QC H3J 1S6 www.cloudops.com @CloudOps_ ------------------------------------------------------------------------------ CenturyLink Cloud: The Leader in Enterprise Cloud Services. Learn Why More Businesses Are Choosing CenturyLink Cloud For Critical Workloads, Development Environments & Everything In Between. Get a Quote or Start a Free Trial Today. http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users ********************************************** Email Disclaimer: This email, including attachments, may contain proprietary, confidential or privileged information. If you are not the intended recipient, please (i) do not use, disclose, save or retransmit this message or any attachments, (ii) alert the sender by reply email and (iii) destroy or delete this message and any attachments. Delivery of this email to a person other than the intended recipient(s) shall not constitute a waiver of privilege or confidentiality. CP Investments, member FINRA and SIPC, serves as placement agent for investment products advised by Canyon Capital Advisors LLC. This email is not intended to be an offer to sell or a solicitation of an offer to buy any security in any jurisdiction. We review and retain electronic communications traveling through our network. ********************************************** ------------------------------------------------------------------------------ CenturyLink Cloud: The Leader in Enterprise Cloud Services. Learn Why More Businesses Are Choosing CenturyLink Cloud For Critical Workloads, Development Environments & Everything In Between. Get a Quote or Start a Free Trial Today. http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
