Distributing Certificates

Alan Buxey A.L.M.Buxey at lboro.ac.uk
Fri Jan 6 22:37:42 CET 2012 

Hi,
> I don't have any particular desire to use certificates thus far in testing mode have been using PEAP and just ignoring the warning that tells me there is a certificate on the server that doesn't match.  I assumed in deployment I would have to install certificates so the users wouldn't be confused when they saw that message.  I thought that FreeRadius had to have certificates set up even if they were just example ones.  Radiusd -X runs bootstrap which creates example certificates automatically.  This led me to believe that certificates were somehow integral to 802.1x.  Is that not the case?  If so how can you take certificates completely out of the equation?

2 ways of using certs.

1) using them for authentication (eg EAP-TLS)

2) using them to validate that the RADIUS server is the one you really want to be talking to


i guess you want the later - in this case, you need to either have a RADIUS server signed
by a CA that is present already in the OS (eg signed by one of the well known names) or
you need to put the CA onto your client.

either way, the client really should be configured (in its 802.1X settings) to validate
the RADIUS server 'name' (via the Common name in the RADIUS server cert) and the CA.

there can be a whole advocacy thread about whether to go for self-signed cert and local
CA or to go with known CAs - theres pros and cons in both ways....with your OWN CA
you can decide the length of time the CA and cert are valid for...you control the CA
and noone can pay to get a server signed by your CA - unless you've got major internal
corruption issues ;-)  - but you've got to get it deployed.   if you choose a known CA...
well, anyone can get a cert signed by a known CA if they pay the money....so you REALLY
need to check the CN of the RADIUS server... you are also a slave to the CA and its reputation..
until recently that wasnt too bad but with the couple of Dutch CAs that have been removed
from OSes..that could have been quite awkward if they'd signed your server cert...

alan

More information about the Freeradius-Users mailing list