Greets - I've just recently returned back to the 'ol-RADIUS-game' and was pleasantly surprised to see how much easier it has become. I was able to accelerate through PAP/MD5/LEAP and for the past week have been dancing around full-on EAP-TLS for wireless supplicants, and am happy to be successful. I built our certs using OpenSSL, and have a variety of sup's to deploy, including ipads and windows devices. It dawned on me just now that some of the ipads would like to actually roam amongst different server setups - completely different physical networks, which could be accommodated with different SSIDs and certs, just load them all onto the ipads and go. That seems to be a little bit of a headache to scale up to larger numbers. We did try to anticipate this to some extent as our current wifi setup is a single SSID for all of our wifi networks, regardless of their physical location (spanning different cities even), but we were using WPA2/PSK, so it was pretty easy to administer. I would love to maintain that "walk-and-go" ability that a single SSID and PSK combo gave us. With the certificates, however, they get locked to a common name for installation, and I have traditionally always used the server name for that. For a lot of reasons, the server names are different site to site, so using the server names for common names in the certificates results in many certificates. ie: site01-s1, site02-s1, site03-s1....... Can I use a single common name (ie. myglobalsites) for the certificate set across my entire domain, and simply copy the entire set, (ca/pem/der/p12) from site to site? Does openssl and freeradius together use any hardware info (CPU serial, resolved ip addr, etc) that would cause a copied cert to crash? I am aware of "Cert builder apps" as well as traditional (verisign) SSL-certs that are built off-site that would have no idea of my actual hardware config, so my understanding is that this would work. However I have not used the standalone apps for building, only openssl on the host machine (and prior to this just for VPN security, which was pretty straightforward). I realize this may be a little more openssl-oriented than freeradius specifically, however I'm curious if anyone has experience with the process having a specific relationship or change to freeradius. Thanks in advance! Regards, Ted.
On Fri, May 06, 2016 at 03:59:45PM -0400, Ted Hyde wrote:
Can I use a single common name (ie. myglobalsites) for the certificate set across my entire domain, and simply copy the entire set, (ca/pem/der/p12) from site to site? Does openssl and freeradius together use any hardware info (CPU serial, resolved ip addr, etc) that would cause a copied cert to crash?
Same server cert across multiple servers is fine. The client doesn't see anything about the server when it connects to an SSID apart from the certificate, so it has no idea which particular server the response came from. Unlike HTTPS etc there's no existing network connection and therefore no DNS, so it can't even check that the "hostname" it's connecting to is the same as the cert name returned. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
participants (2)
-
Matthew Newton -
Ted Hyde