freeradius, samba, AD peap/mschap-v2 redundancy and Certificate
Hi, We are thinking of authenticate users via 802.1x/mschapv2 with freeradius, samba and Active Directory. Is the following a good redundancy design? If not, which one is better? radius1 1.1.1.1, radius2 2.2.2.2 Active Directory Domain Controllers 3.3.3.3 4.4.4.4 put 1.1.1.1 and 2.2.2.2 as primary/secondary radius server list in switch/AP/controllers. On radius1 krb5.conf kdc = 3.3.3.3 kdc = 4.4.4.4 smb.conf password server = 3.3.3.3, 4.4.4.4 On radius2 krb5.conf kdc = 4.4.4.4 kdc = 3.3.3.3 smb.conf password server = 4.4.4.4, 3.3.3.3 For certificate, do we need a server certificate for both radius1 and radius2 if we want supplicant to verify the server certificate? Thanks, Schilling
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 9/15/10 11:07 AM, schilling wrote:
For certificate, do we need a server certificate for both radius1 and radius2 if we want supplicant to verify the server certificate?
Just a note on this, you can get a single certificate with SANs (Subject Alternative Names), and use the same cert on both machines. It's sometimes cheaper to go this route. Also, you can add more SANs and get the CA to issue you a new cert. This also allows you to have your two production machines, and a test machine that use the same cert. That way you can test new configurations without having to worry about PKI issues. - -- Kevin Ehlers Network Engineer University of Oregon -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkyRDh4ACgkQ0l216NgIDrwtawCfYWUWwHQwqM/d1Pr40wL7sn2A UjUAniQqSI2tqzmTWVk0N/T6x5w3yx10 =Jncp -----END PGP SIGNATURE-----
Hi, seems okay
For certificate, do we need a server certificate for both radius1 and radius2 if we want supplicant to verify the server certificate?
you can use the same server certificate - so that the clients recognise them as the same - important if there is to be any failover.... have the CN to be eg radius.yourdomain alan
On 09/15/2010 02:21 PM, Alan Buxey wrote:
Hi,
seems okay
For certificate, do we need a server certificate for both radius1 and radius2 if we want supplicant to verify the server certificate?
you can use the same server certificate - so that the clients recognise them as the same - important if there is to be any failover.... have the CN to be eg radius.yourdomain
Depends upon how aggressive the client is about validating the cert. The libraries I'm familiar with will take the CN of the subject do a DNS lookup and see if it matches the ip address on the socket. In which case I wouldn't expect the above to work. As Kevin just suggested Subject Alt Names may be a better alternative. -- John Dennis <jdennis@redhat.com> Looking to carve out IT costs? www.redhat.com/carveoutcosts/
On 15/09/2010 19:43, John Dennis wrote:
On 09/15/2010 02:21 PM, Alan Buxey wrote:
Hi,
seems okay
For certificate, do we need a server certificate for both radius1 and radius2 if we want supplicant to verify the server certificate?
you can use the same server certificate - so that the clients recognise them as the same - important if there is to be any failover.... have the CN to be eg radius.yourdomain
Depends upon how aggressive the client is about validating the cert. The libraries I'm familiar with will take the CN of the subject do a DNS lookup and see if it matches the ip address on the socket. In which case I wouldn't expect the above to work.
Context folks! - You are authenticating your network connection, there is no DNS at this point... and even if there was the NAS doesn't "have an IP", it's an EAPoL transaction. Alan B is correct - use exactly the same certificate on the two servers. -James
Hi,
Depends upon how aggressive the client is about validating the cert. The libraries I'm familiar with will take the CN of the subject do a DNS lookup and see if it matches the ip address on the socket. In which case I wouldn't expect the above to work.
...tell me how exactly a host is going to do a DNS lookup when they have no IP connectivity to the network - this all happens during the EAP stage - so nothing more than EAPOL will be working for the client ;-) certificate tied to an IP address sounds like a very bad idea to me - its usually a name (or 'DNS entry' in web https world) - and the client validation is based on a very basic name check. alan
On 09/15/2010 02:07 PM, schilling wrote:
For certificate, do we need a server certificate for both radius1 and radius2 if we want supplicant to verify the server certificate?
yes, certificates bind a subject to a public key, in this case the subject is the ip address of your radius server. Since you'll be running the servers on two different machines for redundancy they will have different ip addresses, thus each needs it's own cert. -- John Dennis <jdennis@redhat.com> Looking to carve out IT costs? www.redhat.com/carveoutcosts/
participants (5)
-
Alan Buxey -
James J J Hooper -
John Dennis -
Kevin Ehlers -
schilling