WPA Certificate Question

[Mike Diggins]

On Sun, 31 Jan 2010, Peter Lambrechtsen wrote:

> On 31/01/2010, at 11:59 AM, Mike Diggins <mike.diggins at mcmaster.ca> 
> wrote:
>
>>
>> I was able to get freeradius 2.1.3 and wireless WPA working, likely 
>> due to the fact that FreeRadius was mostly configured for me 
>> (thanks ;) ). I’m a little confused about the certificate that is re 
>> quired in the process, and what the relationship is with the client,
>>  the Wireless Controller and the FreeRadius server.  The README file
>>  states:
>>
>> “ In general, you should use self-signed certificates for 802.1x (EA 
>> P) authentication.”
>>
>> Why self signed versus CA signed? Ideally I would like my clients to 
>> not be questioned about the certificate at all. Is that even 
>> possible with WPA? If I purchase a CA signed cert, would that 
>> eliminate the requirement on the client to acknowledge the 
>> certificate or import it?
>
> It would also mean that anyone could go to the same CA, get a client 
> certificate and would be able to login to your wireless network. Not 
> really ideal IMHO ;)
>
> Hence why controlling your own CA, and managing the CRL or OCSP is the 
> only way to go if you want to properly maintain control over your 
> wireless or 802.1x wired network.
>
> Minting certificates is pretty trvial depending on the CA software you 
> are using and importing a CA into every workstation is also easy using 
> the numerous tools available.
>
> My preference is to use the "rootsupd" package and extract that out 
> and update the p7b with your own ca. Then get everyone to run that, or 
> use software distribution to get it out enterprise wide.
>

But I don't plan on distributing client certificates for authentication. I 
intend for them to login with a username and password checked against my 
Radius server, so I'm not sure what role the certificate plays in that 
process?

-Mike