We are switching to EAP-TLS for wireless authentication, and have everything in 
place with the exception of a Certificate Revocation Checking process.  We 
would prefer to use OCSP, but it appears that freeRadius isn't supporting OCSP 
very well (it is either buggy or not feature rich).  Specifically, it would 
appear that if you don't specify a URL (a responder override), freeRadius will 
not correctly pull the responder URL from the certificate.  Verification then 
fails, and thus the user connection will not be established.  We have multiple 
CAs, so hard coding in a single responder URL is not optimal.  The other issue, 
is that a fail open option for freeradius also doesn't look to be officially 
supported, and is only provided via some user patch that won't likely work when 
the code is upgraded.  A soft fail would allow users to be authenticated if a 
responder is unavailable, and presumably we can set some time out that is less 
than a user connection time out for this to occur.

With all of this preface, I have been looking for commercially supported radius 
platforms, and Radiator looks to be a really good option.  I am not entirely 
they support the above options, but have inquired.  Anyone have some good 
opinions on Radiator?

As to our actual problems, we could be messing up the config, but I don't think 
so :)

Thanks,
Ryan Turner

**********
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Reply via email to