WPA Certificate Question

Chris cjl at viptalk.net
Sun Jan 31 04:07:28 CET 2010 

On Jan 30, 2010, at 6:39 PM, Peter Lambrechtsen wrote:

> On 31/01/2010, at 11:59 AM, Mike Diggins <mike.diggins at mcmaster.ca> wrote:
> 
>> 
>> I was able to get freeradius 2.1.3 and wireless WPA working, likely due to the fact that FreeRadius was mostly configured for me (thanks ;) ). I’m a little confused about the certificate that is required in the process, and what the relationship is with the client, the Wireless Controller and the FreeRadius server.  The README file states:
>> 
>> “ In general, you should use self-signed certificates for 802.1x (EAP) authentication.”
>> 
>> Why self signed versus CA signed? Ideally I would like my clients to not be questioned about the certificate at all. Is that even possible with WPA? If I purchase a CA signed cert, would that eliminate the requirement on the client to acknowledge the certificate or import it?
> 
> It would also mean that anyone could go to the same CA, get a client certificate and would be able to login to your wireless network. Not really ideal IMHO ;)
> 
> Hence why controlling your own CA, and managing the CRL or OCSP is the only way to go if you want to properly maintain control over your wireless or 802.1x wired network.
> 
> Minting certificates is pretty trvial depending on the CA software you are using and importing a CA into every workstation is also easy using the numerous tools available.
> 
> My preference is to use the "rootsupd" package and extract that out and update the p7b with your own ca. Then get everyone to run that, or use software distribution to get it out enterprise wide.

Except that asking users to use one certificate is hard enough.  Expecting them to use one for WPA, one for email, etc just makes things worse.

It'd be nice to filter acceptable certificates by, say, regexp on the rfc822Name.

Accept certificate if:

It is signed by our chosen CA and the rfc822Name =~ /.*@ourdomain.com$/

StartCOM Class 2 puts the "organizer's" full name in the CN attribute.  That's already built into the eap filtering capabilities, if I understand things correctly.

More information about the Freeradius-Users mailing list