I know the docs also say that it is not best practices to use a publicly signed cart because ANYONE can auth against the server, however since I am in a position where almost all of the computers will NOT be managed by our staff (they are student workstations) a public cert seems perfect.
It's not a good idea because anyone can pretend to be the server, too.
Hmmm. I hadn't thought of that attack vector, kind of like a man-in-the-middle attack, but isn't that what the private key is for, to prevent just that? Jake Sallee Godfather Of Bandwidth Network Engineer Fone: 254-295-4658 Phax: 254-295-4221 -----Original Message----- From: freeradius-users-bounces+jake.sallee=umhb.edu@lists.freeradius.org [mailto:freeradius-users-bounces+jake.sallee=umhb.edu@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Thursday, January 20, 2011 1:13 PM To: FreeRadius users mailing list Subject: Re: Generating a Microsoft compatible CSR for FreeRADIUS Sallee, Stephen (Jake) wrote:
The documentation mentions special OID’s that need to be present for MS machines to accept the cert, but I can’t find WHAT those OID’s are so I can make sure I include them in the CSR.
See the files in raddb/certs, or read eap.conf. It's all there.
I know the docs also say that it is not best practices to use a publicly signed cart because ANYONE can auth against the server, however since I am in a position where almost all of the computers will NOT be managed by our staff (they are student workstations) a public cert seems perfect.
It's not a good idea because anyone can pretend to be the server, too.
If anyone has another route that will allow me to auth windows clients without having to manually install certs and/or manually configuring the wireless adapters I would be very grateful to hear your suggestions.
Not much. Blame Microsoft for not making it easy. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html