Hi, On Wed, Jun 25, 2014 at 12:21:48PM +0100, Franks Andy (RLZ) IT Systems Engineer wrote:
Unfortunately we don't run an openssl / tinyca etc based CA, it's AD based and I have no control over that, and we also need to stick with TLS rather than another method of PEAP like mschapv2.
As you say you're AD based, just in case you didn't realise: if your clients are all Windows and joined to the domain, then CA management is automatic and they will have a client cert on them that you can just use to authenticate, so the domain manages that side for you and you don't need to worry about it. Of course, if some clients aren't domain joined then you do still have the cert deployment issue, which is the usual issue with EAP-TLS. As Alan said, you probably want to look at some other deployment system. FreeRADIUS isn't that. Remember you can still make an intermediate signing cert with e.g. OpenSSL, sign it with the domain CA, then use that to generate all certs for non-domain members, if you don't/can't use the AD cert services directly. Cheers, Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>