On 01/02/2017 13:03, Brian Julin wrote:
Just a regular web certificate will work except for very old windows clients where a special attribute is needed... it is sometimes hard to get CAs to issue this attribute.
See:http://lists.freeradius.org/pipermail/freeradius-users/2006-October/013613.h...
"Microsoft specifies that certificates must have the "Enhanced Key Usage" attribute with the value "Server Authentication" (OID 1.3.6.1.5.5.7.3.1)" A free LetsEncrypt certificate has it - see below. I had no problems using this certificate with Windows 7 or Windows 10, nor OSX, although the three-month lifetime means frequent renewals. The problem is if you ever let Linux or Android users near your network, they will only connect in an insecure way, at least with EAP-PEAP/MSCHAP. I did wonder about making FreeRADIUS keep track of the client MAC addresses it's seen. The first time it sees a new MAC address, it *intentionally* returns a bad certificate, and if authentication completes successfully, it puts the user into a different VLAN so they can be isolated. However if the client aborts the authentication exchange a couple of times, the server marks the MAC address as good and then starts using the correct certificate, and returns the correct VLAN. It would be an interesting project, but I don't have time to implement it :-) Regards, Brian. # cd /etc/letsencrypt/live/<snip>.com # openssl x509 -in cert.pem -noout -text ... X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Basic Constraints: critical CA:FALSE ... Authority Information Access: OCSP - URI:http://ocsp.int-x3.letsencrypt.org/ CA Issuers - URI:http://cert.int-x3.letsencrypt.org/ ... X509v3 Certificate Policies: Policy: 2.23.140.1.2.1 Policy: 1.3.6.1.4.1.44947.1.1.1 CPS: http://cps.letsencrypt.org User Notice: Explicit Text: This Certificate may only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at https://letsencrypt.org/repository/