HELP! EAP-TLS: how can I install a cert on a workstation so that it works for all users

John Dennis jdennis at redhat.com
Wed Jul 15 22:10:29 CEST 2009 

On 07/15/2009 01:08 PM, john wrote:
> So are the following correct?:
>
> (1) I can create a single cert for a computer and distribute it to all
> users who may use that computer
>
>
> (2) I can create a cert for every user and distribute it to every
> computer that a user logs into.
>
> (3) I cannot create a generic "computer cert" that authenticates the
> computer and opens the port?

Think long and hard about what you want authentication to accomplish 
from a security standpoint, then worry about the implementation details.

Ask the question "Who are you authenticating?" or "What has permission 
to use the network?" Am I trying to restrict access to a specific set of 
users or am I trying to restrict access to a specific set of machines? 
If it's the later does that mean anyone who sits down at that machine 
has access?

In a very very simplified view a certificate is nothing more than a 
password. Would you give the same password to every user? Would you put 
that password on every machine?

What you're learning is that certificate management is complex and often 
requires additional certificate management support.

If you want users to be authenticated no matter what machine they are 
logging in from *and* you want to use certificates as opposed to 
passwords, you essentially have two choices.

1) The user is in physical possession of the certificate, he carries it 
from machine to machine. This is the smart card (i.e. token) solution. 
To protect against theft or loss of the token the use has to unlock the 
token using a password upon insertion of the token in the device.

2) The per user certificate is stored in a central location where only 
the user can access it. Usually this requires OS support and another 
layer of authentication.

If you want to do machine authentication then per machine certificates 
must be generated and distributed (which is where your question began). 
There is no easy secure way to do this for a large number of devices in 
the absence of sophisticated certificate management software, this is 
why certificate management software is a growth industry.

I'm not a Windows guy, but my understanding is that Microsoft offers 
(expensive) solutions. In the Linux world you might consider DogTag 
(http://pki.fedoraproject.org/wiki/PKI_Main_Page), this is the same 
certificate management system used by the DoD (Dept of Defense) and 
other high profile organizations which Red Hat has generously made 
available as open source after it's acquisition from Netscape.

Note that DogTag supports Auto-Enrollment Proxy (AEP) for Windows, which 
allows users and computers in a Microsoft Windows domain to 
automatically enroll for certificates issued from Certificate System.

Of course if you don't want to deal with the complexity of certificate 
based authentication you could just use passwords. Passwords are much 
less secure, but much simpler.


-- 
John Dennis <jdennis at redhat.com>

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeradius-Users mailing list