PEAP using different CA?

Arran Cudbard-Bell a.cudbardb at freeradius.org
Wed Jul 10 14:51:39 CEST 2013


On 10 Jul 2013, at 13:38, Alan DeKok <aland at deployingradius.com> wrote:

> Fernando Hammerli wrote:
>> To avoid the need of installing our CA certificate on every Windows
>> machine, we´ll buy the server certificate from a public CA.
>> Can Freeradius allow me to have both methods at the same time, ie, the
>> PEAP with the public CA and certificate users with our 'self-signed' CA?
> 
>  Just put both CAs in the directory pointed to by CA_path.
> 
>  And using a public CA is usually not a good idea.  It means that your
> users will trust *any* certificate signed by that CA, not just your
> certificate.

Well that's not strictly true. Most supplicants support specifying the CN of the certificate presented, but yes, it's still better to use your own CA and deploy it as part of enrolment. There is absolutely no security advantage to using a commercial CA, and several disadvantages.

If this is a usability issue, I recommend you look at dissolvable setup clients like cloudpath, or investigate the various certificate/settings bundles that things like iPhones support.

Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS Development Team



More information about the Freeradius-Users mailing list