Certificate push for eap-tls clients
Hi All, I've had a look around and couldn't find much information about how to do this, so thought I'd maybe try my luck here! In a demonstration of clearpass (Aruba radius product) one nice thing it did was send certificates direct to clients (or made a webpage available with a cert download link). Does anyone know whether this is possible in some way with a freeradius based radius system? Unfortunately we don't run an openssl / tinyca etc based CA, it's AD based and I have no control over that, and we also need to stick with TLS rather than another method of PEAP like mschapv2. I'm not aware of an exposed api, apart from the obvious web based, interactive one that exists with an MS CA. Anything else presumably couldn't be controlled via linux anyway.. Any ideas? Thanks Andy
Clearpass IIRC uses freeradius. .. however that's just for the authentication. They've spent a lot of time/effort/money doing the certificate management stuff (there's are other solutions eg cloudpath ES).... but otherwise you need to basically look at other free CA tools or write your own. eduroam CAT is eg a free tool that can create profiles for your users to download onto their client devices... alan -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
Hi, On Wed, Jun 25, 2014 at 12:21:48PM +0100, Franks Andy (RLZ) IT Systems Engineer wrote:
Unfortunately we don't run an openssl / tinyca etc based CA, it's AD based and I have no control over that, and we also need to stick with TLS rather than another method of PEAP like mschapv2.
As you say you're AD based, just in case you didn't realise: if your clients are all Windows and joined to the domain, then CA management is automatic and they will have a client cert on them that you can just use to authenticate, so the domain manages that side for you and you don't need to worry about it. Of course, if some clients aren't domain joined then you do still have the cert deployment issue, which is the usual issue with EAP-TLS. As Alan said, you probably want to look at some other deployment system. FreeRADIUS isn't that. Remember you can still make an intermediate signing cert with e.g. OpenSSL, sign it with the domain CA, then use that to generate all certs for non-domain members, if you don't/can't use the AD cert services directly. Cheers, Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
participants (3)
-
Alan Buxey -
Franks Andy (RLZ) IT Systems Engineer -
Matthew Newton