On Jun 23, 2015, at 10:37 AM, Jochen Demmer <jochen.demmer@peakwork.com> wrote:
Hi,
I want to move away from PSK and use 802.1x in the future for our wireless clients.
- 2 CentOS 7 Servers with Freeradius from repo, currently version: 3.0.4 - User Backend shall be OpenLDAP with passwords hashed in SSHA (inetOrgPerson/posixAccount) - Clients: Android 3,x or 4,x or bigger, iOS 7+, Windows 7+ but mainly 7 - Within our self-managed CA we will create a certificate that every client will get manually installed - We prefer credential based authentication over certificate based client authentication
questions 1) A colleague mentioned that we would have a problem with connecting to LDAP, because the passwords stored there are SSHA and he also said that only unencrypted/unhashed passwords will do or NTLM. What road do we need to choose when it comes to authentication methods.
With the common EAP methods you're limited to EAP-TTLS-PAP if using SSHA.
2) What do I have to consider when choosing the common name for the certificate?
Not sure what you mean by that... I've always used the full name of the employee, and encoded their email address in the certificate as a more unique identifier. -Arran