understanding

[Alan Buxey]

Hi,

> We don't want to install certificates on the clients, but the problem

in that case, just get your RADIUS server signed by a CA that is already
on the clients....something like Thawte, Verisign etc. ie spend some money.

if you dont want to spend some money, use your own self-signed CA (closed-loop
authentication) and use a client deployment tool to get the CA onto the systems
(this is trivial with GPO in an activedirectory controlled domain).


think of the RADIUS server cert like that for an online bank.


when you go to an online bak web site, the HTTPS is via a known certificate that
your client trusts....and DNS can be used to map the name requested to an IP
address....and the name of the server matches your request and the certificate
name matches the DNS entry. you can even use DNSSEC to ensure that the IP you
got was handed out by the domain you wanted...  all good.

with RADIUS there is no layer 3 activity etc for the client...no DNS available etc..
so you can only take what you are given by the RADIUS server...and then match that
to your local rules/settings - so, you verify the server cert, verify the CN
you were given..and finally , verify the CA that sent that cert.

> used for the active directory. So is it only secure to connect to the AD
> when checking the certificates? Or is there another possibility to make
> it secure without installing certificates? 

you can connect to the AD when checking the cert or when not checking the cert.
if you do the former, then you are secure... if you dont check the CA then why even
bother with 802.1X or security at all - you are leaving your network wide open to attack
and abuse... i'll set up a rogue AP and just harvest peoples credentials...which I'll
them use to access all the bits I need (there are live CD distros with such tools ready
to go using internal wireless card on a laptop).  - of course, when I say I'll set up, thats
hypothetical...i have better things to do ;-)


alan