On Thu, Sep 24, 2015 at 08:19:31AM +0000, A.L.M.Buxey@lboro.ac.uk wrote:
my first advice to you is to upgrade - 2.1.12 is *old*. seriously old. it came out in sept 2011 and is no longer maintained. If you go to CentOS 7 you'll get 2.2.x (but once again, you really should be using version 3 now)
Is there any issue you can think of using 3.0.9 on CentOS 6? I don't mind building it from source if the infrastructure will support it.
Mac clients can no longer have 802.1X config done manually in the network config section - they need to be configured using a .mobileconfig file
Alright. Thanks. I'll look at this.
the commonname of the cert is its CN as per the output of
openssl x509 -in server.pem -text -noout
Oh, I know this part, but I'm wondering how the CN is *used*. Specifically, is my FreeRADIUS server sending something that has to match the cert? If my server is foo.bar.com, does it actually send its hostname to the client that's trying to connect? The examples I've found so far have CNs that are more or less freeform, quoted strings. Related, my goal once I've worked out the details is to have a small cluster of these. I can load-balance between them but I was thinking more of having a freestanding pool. If FreeRADIUS is sending its hostname for matching this would be problematic done through a load balancer, and if I'm not doing it through a load balancer it seems like I'd need one certificate per FreeRADIUS server, rather than having a shared cert for the role, especially if I can't use wildcards. Maybe the local CA option will be best here. I'll explore it. Knowing how the CN is used between the client and server would be great, though. In this case, it's assumed that the clients won't have other access to the network until they authenticate and connect through the WAPs and FreeRADIUS.
well, you need the xpextensions for sure.... but you also need the root CA to be known and trusted by the device...
The DigiCert CA certificate was known by the Macs already, but I'll look at the provisioning mechanism(s) you described to see if there was something there.
*however* if you are doing things with a configuration tool, then local CA issue for ease of use goes...its configured for the user AND secure.
This sounds more and more appealing the more I think about it. Thanks for the help thus far! I'll write back more if I get stumped by other things, but for now I'm going to try to get 3.0.9 on my EL6 test box and look at the provisioning situation. -- Mason Loring Bliss mason@blisses.org Ewige Blumenkraft! awake ? sleep : random() & 2 ? dream : sleep; -- Hamlet, Act III, Scene I