FreeRADIUS with 2 certs/CAs etc

[Alan Buxey]

Hi,

ah..if all our systems were under full control and were Windows boxes life
would be easier - but so much duller :-)  we have a mixture of clients and
a mixture of centrally managed and personal systems....

I can certainly see that using a seperate SSID would be a way of doing it..
but not helpful for remote access when only 1 SSID is available.

> I don't think so because the client is causing the tunnel creation to fail because the certificate wasn't acceptable.  If this were possible, then someone could create an SSID that matches yours and keep trying various certificates until it found one you liked.  The purpose of the server certificate validation is to reduce the probability that someone can spoof your infrastructure (which is why using internal certs is better because someone on the outside, in theory, couldn't digitally sign a cert. from your internal CA, but they could easily get a cert. from Verisign).

oh certainly and for sure - we recommend a closed-loop system, self-signed..
and we also recommend that the server cert is checked (ensure that the client
checks the server!) without these two things, the EAP method can be compromised.

however, being secure and using EAP and PKI does mean having to be ready for
particular eventualities... a server cert expiration is easy..just resign with
CA... but a CA expiry..hmm.  as Alan Dekok said...deploy a new CA in advanced
and then sign server with that new CA and put cert into place.  remember....when
such event happens it could be rather immediate...eg noones keeping eye on certs.
tuesday morning cert expires...client offline..everyone panics etc. plan needs
to be ready for such a time

alan