Hi, On Thu, Jan 26, 2012 at 12:08:34AM +0000, McNutt, Justin M. wrote:
long story short, I was asked to find out what other people were doing.
Self-signed CA.
And just to be clear, is the concensus still that a self-signed CA is the way to go,
Self-signed CA - you have to distribute the CA cert to your clients. Nobody can set up a rogue network / AP with rogue RADIUS server without the client throwing up some sort of warning. Public CA - easier as you don't have to distribute the CA cert. You're open to spoofing attacks where someone can get another cert from the same CA and put it on a rogue RADIUS server. These days it seems anyone can get a public-CA certificate for any domain by just asking for it at the back door...
management wants more assurance than that, so here I am.
First is more secure, second is more convenient.
assuming that you have a decent way to distribute the CA cert (which we do) to the clients
If you can easily push the certs out, I'd go for the more secure self-singned certs, as the main objection to it seems to be pushing out the CA cert. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>