I'm reading: http://deployingradius.com/documents/configuration/certificates.html It mentions, "You need to edit client.cnf only if you are using EAP-TLS. If not, then that file can be left as-is." Though it doesn't say, I'm assuming i need to edit the [req] and [client] sections? For the [client] section, do I need an entry for every unique client I plan on deploying a certificate to? I'm asking because I don't understand the emailAddress and commonName fields in this context. Finally, is there any documentation on how to scale this solution up to support 15k-20k users? I'm hoping something like LDAP or RDBMS is an option? -- Munroe Sollog (He/Him/His) Network Architect munroe@lehigh.edu
On Oct 8, 2021, at 10:41 AM, Munroe Sollog <mus3@lehigh.edu> wrote:
I'm reading: http://deployingradius.com/documents/configuration/certificates.html
It mentions,
"You need to edit client.cnf only if you are using EAP-TLS. If not, then that file can be left as-is."
Though it doesn't say, I'm assuming i need to edit the [req] and [client] sections? For the [client] section, do I need an entry for every unique client I plan on deploying a certificate to? I'm asking because I don't understand the emailAddress and commonName fields in this context.
The email address and common name fields are pretty descriptive. Every client certificate needs to be unique. The best way to do this is to give them unique names.
Finally, is there any documentation on how to scale this solution up to support 15k-20k users? I'm hoping something like LDAP or RDBMS is an option?
To do what? The server doesn't need to store the client certificates. So any DB is not relevant here. What would you store in the DB? Alan DeKok.
You're right. I was conflating the role of freeradius and the role of storing the certificates for distribution to the end users. On Fri, Oct 8, 2021 at 11:47 AM Alan DeKok <aland@deployingradius.com> wrote:
On Oct 8, 2021, at 10:41 AM, Munroe Sollog <mus3@lehigh.edu> wrote:
I'm reading: http://deployingradius.com/documents/configuration/certificates.html
It mentions,
"You need to edit client.cnf only if you are using EAP-TLS. If not, then that file can be left as-is."
Though it doesn't say, I'm assuming i need to edit the [req] and [client] sections? For the [client] section, do I need an entry for every unique client I plan on deploying a certificate to? I'm asking because I don't understand the emailAddress and commonName fields in this context.
The email address and common name fields are pretty descriptive.
Every client certificate needs to be unique. The best way to do this is to give them unique names.
Finally, is there any documentation on how to scale this solution up to support 15k-20k users? I'm hoping something like LDAP or RDBMS is an option?
To do what?
The server doesn't need to store the client certificates. So any DB is not relevant here.
What would you store in the DB?
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Munroe Sollog (He/Him/His) Network Architect munroe@lehigh.edu
participants (2)
-
Alan DeKok -
Munroe Sollog