reuse EAP-TLS client certificiate
Greetings, I've done a quick google and scan of the FR user mailing list archives and did not find a definitive answer to the following: With EAP-TLS, can one reuse the same client cert across multiple devices? I'm guessing "yes", but would appreciate confirmation. Tangentially, is there a way to "pin" a certificate to a client's MAC address? Thanks! -m
On Wed, Sep 09, 2015 at 10:43:34AM -0500, Matt Zagrabelny wrote:
With EAP-TLS, can one reuse the same client cert across multiple devices?
I'm guessing "yes", but would appreciate confirmation.
Yes, FR doesn't care about where the certificate from, only that it's valid. But then when you need to remove one client from the network, you revoke its certificate and... ...so no, it's not a good idea for several reasons.
Tangentially, is there a way to "pin" a certificate to a client's MAC address?
Yes, with grand illusions of security that don't exist. Until a recent O/S comes along and starts using random MAC addresses, that is. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
On 9 Sep 2015, at 16:51, Matthew Newton <mcn4@leicester.ac.uk> wrote:
On Wed, Sep 09, 2015 at 10:43:34AM -0500, Matt Zagrabelny wrote:
With EAP-TLS, can one reuse the same client cert across multiple devices?
I'm guessing "yes", but would appreciate confirmation.
Yes, FR doesn't care about where the certificate from, only that it's valid.
But then when you need to remove one client from the network, you revoke its certificate and...
...so no, it's not a good idea for several reasons.
Tangentially, is there a way to "pin" a certificate to a client's MAC address?
Yes, with grand illusions of security that don't exist. Until a recent O/S comes along and starts using random MAC addresses, that is.
Ahhh every time I read about it, I start clapping gleefully and making te-he-he noises. Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
On 9 Sep 2015, at 17:38, Arran Cudbard-Bell <a.cudbardb@freeradius.org> wrote:
On 9 Sep 2015, at 16:51, Matthew Newton <mcn4@leicester.ac.uk> wrote:
On Wed, Sep 09, 2015 at 10:43:34AM -0500, Matt Zagrabelny wrote:
With EAP-TLS, can one reuse the same client cert across multiple devices?
I'm guessing "yes", but would appreciate confirmation.
Yes, FR doesn't care about where the certificate from, only that it's valid.
But then when you need to remove one client from the network, you revoke its certificate and...
...so no, it's not a good idea for several reasons.
Tangentially, is there a way to "pin" a certificate to a client's MAC address?
Yes, with grand illusions of security that don't exist. Until a recent O/S comes along and starts using random MAC addresses, that is.
Ahhh every time I read about it, I start clapping gleefully and making te-he-he noises.
Actually it's more of a Muttley - shhshshh Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
participants (3)
-
Arran Cudbard-Bell -
Matt Zagrabelny -
Matthew Newton